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I. INTRODUCTION 

۰1768۰ SÉ ccmpuúster  ts=chnology during “he previous 
two decades has affected virtually every aspect of govern- 
Bent and private industry. As technological advances foster 


the availability of complex systems ar lower prices, cha 


integraticn cf computer systems with governmental arg indus- 
trial precesses is accelerated. ۸96 7 ح0 ت23‎ ٣ت‎ ٤٤ 0ت‎ ۴ 
Systems range from relatively routine data processing tasks 
ias rayrcll, acccunting packages, and inventory control 
EN ntrlCate scientific systems controlling spac flights 
and decisicn support systems assisting maragers in Tesclvina 


unique problems. 


The pervasiveness cf this technology has created man; 


Lew issues for management concern 4+ ail levels ct gcvern- 
Meme end industry. Among these issues is the subject of 
security. AS Systems becone more and more complex, crgani- 
Zaticns which utilize them ars becoming more and more deper- 
dent BEC chem. This 2--503 ]ت‎ ne 2 768٤5 
conputar-centsr menagemernt to devote sfrorts toward improved 
iT CEY in all arees: hardware; soitware; comnunications; 
meeocnrsl; and administration [{ Ref. 1]. I? 235 useful =o 
Em der exactly whaz we mean by the term "security" with 
respect =o computer systems. LOCO ou Ayliz, Security 
is "a state cf m?zd reached when one's assets are recelving 
E STII E erezecericr. Protection has three facets cf equal 
BnDOrtance. Brəventativye təchniquəs are applied to orevsn- 
the cccurence cf threets. D eee e echni guss ale 420 
to ersurzcé that ail threat occurences are registered. 
Elly, =Cr every tnreat cccurence tnere nu 
2 


priate response." (Ref. 


S 
Beemework cn which a computsr system security pian nay be 





develcped. rE may HG. bD possibli: To design a system which 
defeats every intrusicn attempt. Howevsr, an ad=quaz= geal 
for many organizations might be to raiss the cost cf unau- 
thorized cr illegal use of a system to an amount so high 
that it discourages any attempts. Ago ewe ne Ss qual 2s being 
pursued with vigcr today, contemporary literature is replete 
with examples of computer crime. Mes IS DeL oO 
Commerce estimates that if computer abuse grcws prororticn- 
ally with the number cf computers in operation, there will 
۲۰٠۰۰.17 5160 millicn annual loss by 1985 (Ref. 3]. 

Government agencies at all levels and private enter 
prises, especially banks, must be concerned with the threat 
O@emecabvOcage and disruption, not only heft. eta 6 ٦ 
wti cns participating in rhe electronic fund transie 
sytem (£F1S) in the U.S. handle amounts of money «qual to 
the national debt every four days (Ref. 4]. ی0۷۳‎ 1 
for ecorcmic disaster of enormous magnituda 2xists. The 
Meetvat2=cn <O prevent large-scal2 penatration and disruption 
GE Systems such as EFTS is providing impetus for security 
research. 

The need for computer syst 
The magnitude of the problen 
SO bs prebiem are bein addre a a 
example, scftware acuses have developsd sophistic 
ece SS ج٥۶1‎ packadss. Many hardware n 
Mecludang scme typo of security-contzol fəa 
products. E nnes uUe Or eCOMPUcs= SCULLY, however, if not 
@eniehea tc technical considerations alone. Management mi 
become intimately involved in this a 
progress is tc be made. A commitment by “cop management, 


Early 2ndicating tc the entire organization cha emphasis 


that must be pleced uron security, is necessary. Management 
at all levels must te involved wit determining policy aná 


implementing measures concerning ths organizaticn of a 


10 





Bempuüter security program, security admiíinis:ratior, Jisk 
assessments, personnsl practices, aná back-up, recovery and 
disastez planning. 

The federal government, meiuaingsrbornse:ry:jian and 
military agercias, is the largest user of ADP facilities in 
the ccuntry (Ref. 5]. Computer usage spans a vast diversity 
of applications such as World-Wide Military Command and 
en Cil System (WHNCCS), Social Security System, communica- 
meme, federal payrcll and accounting systems, 2c. This 
imaense usage has logically géenéeracted interest in +h 
security cf these particular computer systems. In fact, the 
attention being devoted to the security of computer system 
is so great that che Office cf Management and Budget 2 
ied requirements in 1978 what, among other things, ٣ 
agency imsplemenc a computer security progran. OMB als 
defined a minimum set of controls to bs incorporated i 
each agency's computer security program. [Ref. 6] 


Cenrsenpcrary literatures or computer rt seems to be 


in agreement in expressing the view tha the best aporcach 
to ccmputer security is the oe systens" approach. 
Critical areas which must be examined include hardware, 


software, users, prcg-zammmers, daca, inpucz/ou*put documen-s, 


gu 


and procedurss. Other facets of 2 system pertinent 70 
particular organízaticn may also need +0 be examined. One 
ement Cr the “total systems" approach is the conduct of a 
risk assessment. 

What is a risk assessment? Many texts offer definitions 
ERUchbodstfer slightly in scope and degree. Perhaps the most 
concise and applicable is Peter Browne's definitio 
tisk assessment is an analytic process designed to quantify 


ememir (data processing) security reguízed by én organiza- 


HON. Tr Considers the threats to aforaatiSn and +h= loss 
mat Would cccur if a threat were zo näaterializs." (ref. 7] 


The resul*s cf a risk assessment 2rabie an organizazicn to 
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ESO der solutions T€ security problems which are cost- 
effective. The solutions may eithsr attempt to reduce ths 
Beeoarility of threats, lessen the sifects of various 
Alma ts, cr aid in tke recovery from a "successful" threat. 

An organization may be able to conduct its own internal 
risk assessment if personnel assets ara available. 
Specialists in computers, security, finance, Dersongel and 
operaticns will ke required. Contracts may be utilized with 
one of severai conmercizal compaaies ozganizeá zo conduct, oz 
to provide limited assis-ance, in risk assessments. Chapter 
Three will address this issue in depth. Of courses, the 
Eve participation cà management is crucial. 

A risk assessment is a dynamic concept It should be 
revised pericdicaily to account for any changes in 2quip- 
ment, software, operating procedures, SP a0 yop ont. er ens 
element which might affect the overali security of the 
systen. In particular, Naval activities with computer 
Systems are required to update their risk assessments at 
least every five years (Ref. 8]. 

The federal government, as weil as business enterprises, 
must apcrcach he security problen in an economical manner. 
The risk assessment provides a logical framework to conduct 

pronal analysis. Management must provide guidelines to 
ch answers to the followirg questions: 
1) What are the specific results requirsd; how much 
security is required? 
2) What is the proper balance Deiween security progran 
ccst and potential benefits? 
3) When tradeoffs can be mada be-ween protection and 


reccvery, hcw much effort should bea expended on 
each? (Ref. 9] 
Obviously the minimum amount cf security needed is tO 


protect those items that are required to keep the organiza- 


Pea Operating. The securiry manager should incorporate 
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a) icss of organization asset by means O 

applications-when assets such as accounts rec 

negctiable securities, Etc dre 2377969٥ 

computsr, they are vulnerable to fraud and manipula- 

cn. 

4) loss of data confidentiality- disclosure of personal 

@emtcorrietary data to unauthorized persons can cause 

ereromie loss, dilution of planning efforts, loss of 

٥ء1‎ 7 morale, and legal action. [Ref. 11] 
The potential threats and tne losses asscciated wich sach 
threat must be considered together. Rach pairirg cf ٭‎ ۹٣۰ 
ED CSS shculd te rankad according to their impact upon the 
5۶۶۰٠٦1283 1. After this ranking has been developed, the 
process of examining ccest-effactive countermeasures can be 
studied. 

This chapter has provided an overview cf the nature of 

Bx conputer security problem <today.In particular, the 
once cf risk assessments has been introduced and its 
potential benefits tc organizations have been considered. 


The subject of risk assessment and related id2as will be 


addressed in greater detail in later chaptérs. Chapter Two 
stery and avolution of risk assessment 


will detail “he 
requirements w 
Department cf the Navy. Chapter Thres will examine varicus 
points which nu when an organization is 
deciding whether ro do an "in-house" risk assessment cr to 
contract this functicn with a commercial company. A gensral 
framework for cenducting a risk assessment at the Naval 
BPescgraduate School will. be discussed in Chanter Four. The 
framework will be based upon the guidelines promulgated in 
OPNAVINST. 5.2392 URN. Chapter Five wiil examine how to 
design a dscisicn support system to assist management in 
conducting a risk assessment. Basic design modules will be 


presented and some particular problems associated with data 
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tasa management will be considered. ۴۳۶۰۰۶۰۰۱۷۰۹٣۰ CCnn utor 
security in general, and risk assessments in particular, has 
advanced to such a degree that several companies new ctier 


automated risk assessment systems. A brief consideraticn of 
these systems and a comparison of their attributes vis-a-vis 
manual systems will also be presented in Chapter Fiva. The 


final Charter will summarize the pertinen= points covered in 


(f 


- 
c 


9) 


Man thesis. Some ccnclusions will be drawn about the st 
ef risk assessments in the modern organizational environ- 
ment. Lastly, some recommendations to improve tne effective- 


ness and sfficiercy cf the risk assessment process wiil be 


presented. 
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II. DEPARTMENT OF DEFENSE/DEPARTMENT OF THE NAVY DIRECTIVES 


A. GENERAL 


From the outset, the Fedéral Government has 
pioneer in the development of advanced 
"The first successful large scale data proces 
tion was made in the early fifties at tne Cea 
the initial impetus toward programming langua 
nass applications came from Department of Defanse Supper of 
the COBOL programming language in thea sixtias" [ Ref. 12]. 
Peomechat pcint cn, the rapid growth of computer technolcgy 
and the gcvsrnnent'!s reliance on accurate computing systems 
rose at an exponential rate. Poor accounting and managerial 
eon ICl practices, hcecwever, have brought about extreme inac- 


curacies in the data pertaining *o computer hardware and 


software inventories held by “the Federal Government. Tn 
1976, estimates of the amcunt of money spent on dara 
processing were decidedly vague. "The General Acccunting 
Office (GAC) was able only 20 pracker Federal Data 


Processing spending as between 33 billion and $10 billion 
annually. Mere recently, the Office of Management and Budget 
fey has cited a figure of $5.5 billion, and the General 
Services Administration (GSA) has estimated the cost of 
software development and maintenance alone at $2.2 billion." 
{Ref. 12] A large percentage Of these expenditures were 
Meera buted to the DCD. In 1981, tae numper of instalied 
computer systems was estimated to be around 15,000, while 
the number of personnel working in the computer field was 
estimated at 100,000 [Ref. 12]. These figures, however, are 


GE0SS approximations 
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mes the Scienec3 ck computer techaiology was a rela:zively 
DN pheacmenon at the time the government began to sxrlcze 
memececssitilities, the development of government computer 


Systems was done in a rather piecemeal fashion, with lit 


ct 
مم‎ 
(D 


regard *o the managerial aspects of designing and imole- 
menting computer systems. The =mphasis was on buying/ 
davelcping and getting the systems into operation as fast as 
Meese el= in order <*o show that a functional entity had 


resuited from all the monetary and personnel reso 
a 


had been expended. As a result of this 2ھ ھ8‎ 

rather acs-managsment), government agencies were faced with 
computer systems that were inflexibia, inaccurate, and 
EET tc rapid obsclesence. Te spubliezoutery © 


amount of tax dollars spent on mismanaged computer reso 
led the Federal Gcvernment to issue policy directi 
addressing computer management fre rue une ere cmo 


ü 
requirements analysis to final test and implementaticn. 


B. GCVERNMENT CONCERNS 


At akcut this same time, “here was a growing concern 


Over, the Security vulnerabilities inherenc in these new 
5 


computer systems. Although hardware and software m 
had been progressing at a rapid rate, Little consideration 
Bad been given <o ccmpuzer security  -schnology. However, 

anagement and 


mths Ercoks Act cit 1965, he Officea of گا‎ 
Budget (CMB) had  bsen assigned respo 

Oversight and policy-making functions applicabis to computer 
Bseems development and acquisizion. Thus, "in 1972, -- OMB 
urged private industry -- hardwaz2 manufacturers, softwar 


houses and related service industries -- to maka greater 


7 


ct 


capital investmerts in computer security. At the time, tha 
T 


Federal Government was concerned +ha its inability to 


paoceccdate in Computer systems == except aŭ very great 
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expense -- was limiting its ability to realize the benefits 
Eu cchaclogy." (Ref. 13] Ir December of char sane year, 
the Department of Defensa issued DID Directive 5200.28 en-i- 
tled "Security Requirements for Automatic Data Processing 
(ADP) Systems". The purpose of th2 directive was to estab- 
Sh uniform policy for protecting classified data stored, 


processed, or used in, and classified information communi- 


cated, displayed, cr disseminated by an Automati Data 
Processing (ADP) System" [ Ref. 14]. Although DOD 5200.28 
does not directly address risk ass¢essmants, it does require 


that the heads of DOL components provide for the appointment 
Man ADE Security Officer, who will later play an inportan“ 
role in conducting risk assessmer - TOL Navy conpurer 
۶3611117 


>٠ OMB became even more concerned with‏ 810-197101 5س7 
encouraging the growth of computer security technology since‏ 
the Privacy Act of 19740 set "forth a series of requirements‏ 
Mevetning Federal agency personal record-keeping practices"‏ 
(Ref. 15]. These reguirements increased the need to provide‏ 
Beeurity for the personal data maintained in Federal‏ 


Samcutsr systems. 


C. LEGISLATION 


The Brcoks Act alec assigned ortner agencies Tesponsitili- 
EB ect ricuting to the Federal ADP ?*rograns. The 
National Pursau or Standards (NBS), under zhe Secretary of 
Commerce, was tasked with providing “leadership, technical 
guidance, andscoer@arat.on or GOVSrnment  eficrts in the 


devslcpment of guidelines and zandards" (Ref. 19]. in 


1The terms "Risk Analysis" and “Risk Assessment" can be 
used interchangeably. While early government directives used 
"Risk Analysis", it is new note common to use "Risk 
Assessment". 
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areas pertaining to ADP ard ADP Security. Diet basic. pnulo- 
sophy bshind the NBS work in ADP Security was reflected in 
Federal Irfcrmation Frocessing Standards Publication (FIPS 
BNDIL 31 Of Junc, 1974; “Data confidentiality and computer 
security aze dependent upon the application of a balanced 
Set cf managerial and technological safeguards. Within the 
Somes; Of a total security program, the NBS is pleased to 
provide guidelines for ADP Physical Security and Risk 
Menagement avilakle for use by Federal agencies" (Ref. 19]. 


The ccncepe of Risk Managemen= was intrecéuced at this 
time “o provide federal agencies with guidelines for 
applying management principles to the risxs associated with 
the acquisition cf hardware ard software. Although FIPS PUB 
31 specifically addresses physical security programs, deve 


EM touches upon prccedural aspects, contingency planning, 


Ao cing utilities, computer reliapility, disaster prob- 
abilities, security awareness programs, and risk analysis 
methcdolcaies. LHL 00 وس ات 3 ت۳73‎ one Of the first to 


provide specific recommendations onr implementing comprehen- 


sive computer security programs. ج5‎ 50906003 eC 56-2, 
however, «that its ccntents wers strictly composed of recom- 
mendaticns and qauidelines = they did not constitute a 
government irective mandating computer security 0ا۶‎ ۵ 

ments on government agencies. The publication was edited by 


th 


Susan K. Reed of the Systems and Software Division of NBS. 
She later authored a government documen: on conducting risk 
analyses which would be included as an addendum to DOD 
5200.28-M, the Department of Defense ADP Security Manual. 
This manual will be discussed in mors detail in a suts=quent 


ection. 


mmo eresting ro note that TIPS PUB 31, published in 
Bu, cecvers in great detail those security practices that 


are advccated by more recent publications. Un ter unes= Ly, 
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the publicatior has teen overshadowed by current directives 
۰ئ‎ ة٥‎ ٣طة+‎ must be done but not how to de ic. OL 
example, conventional risk assessments require an analysis 
cf the petential threats to an ADP facility caused by wind- 
storms, hurricanes, and tornadoes. Suchen ormaz icen could 
conceivably te obtained from the National Weather Service, 
but it is already previded in FIPS PUB 31. In Key 


2 
(D 
ui 
ct 
a 


۲۰۰ ٦‫. مخ‎ tc be specific, the annual probability that a 

humcscane will occur is 13% (Ref. 20]. This figure could be 

Nas direct input to the threat analysis form for “he 
a 


current DCD-advocated risk assessment methodology. 


E Stall a security program, the FIPS =ncourag= 


government agencies tc "perform a prell 


1 

to identify major prcklem areas and selec | 

neasures as needed +0 7ت‎ -+ ma dor problem seas" 

(Ref. 21]. The idea behind this is chat, since computer 

7٦7 1 an cngoing process, the most obvious s=curity‏ ح۴۰۰۰ 
n X 7‏ 


iD 


problems should te handled i 


cies need net and shculd rot wait until a comprehensiv 


pediticus manner - agen- 


SK 


iD 


assessment has been ccmpieted prior zo tackling the sericus 
security preblems. In “he meantim2, a preliminary assess- 


ment should be dore to halip isolar2 thos= problems. 


The actual risk assessment methodology presentsd inet 
BES 25 a scun cne. It gives an excellent overview O 
means by which a risk. assessmen- may bə conducted, m 
with charts, tables, and figures thet the user may p 
Calculating the final Annual Loss Expectancy (ALE) value. 
However, the publication is somewhat weak when it ccm 
describing the format or layout of an agency's actual 


assessmsnt document. 
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tee DEFINITIONS 


Before gcing into the specific risk assessment nethed- 
eut lined in the FIPS, it is appropriata to defíne 
certain terms which ars common to most, u Were 


government-endorsed risk assessment methodologies 


THREAT -an overt or covert activity which may cause 
Y 


lcss or damage tc a computer facili- 


ESSE =the potential for being  dabprivsd of computer 


assets or services; 


VULNERABILITY -the weakress inherent in a  comcu-er 


system, which makes it suscep-ihla <o loss or danags; 


ANNUAL LOSS EXPECTANCY (ALE) -an ssiima-a&a oz “hs aroun 
Amor ey that a conputerz facility could poten tia 
lose in a year if threats against the faci 


mea lized. 


E. FIPS PUB 31 METHCDOLOGY 


The FIFS methodolgy is basi a i 

Us) Make an estimate Or the potential losses to which the 
computez Zacility is exposed; 2 
threats which may be made aga 
Combine the estimates of potenti 


loss tc produce an ALE values. 


1. Estimating Less 


dene in ter 


etss (2) loss Or 


no 
s ot five distinct categories :  "(1) physical 
HEESruc-icn or theft of physical ass 

( 


Hsccrucricn of data and program files; SE LO EI iO ma ٭‎ 
EM: (4) theft of indirect assets; and J OZ preven- 


a 
mor of ccnputer procsssing" [Bef. 21). so > 316 ©: 
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this procedure are an identification of the computer facili- 


ty's assets and dollar values for loss estimates. 


Cf the five categories listed, the first is u 

tedly the mest straightforward. Replacement costs ror such 
items as hardware, ccmmunications equipment, supvlies, and 
tne building itself should be 


inventory files as required by 


(i 
t1 


Eod O hE ES 


- Le ww 


(D 


Q 


p” 


0 
SA. Unícrzunately, many 


fedsral agercies havs neglected to maintain inventory files 


Over the years. One ot the fringe benefits of a risk 
assessment is that such inventories must b= ganerated, thus 
enhancing a command's réscurc? management capabilities. 
Once these inventories have been made availabis, the esti- 
fee CE 1CSS for a particular piece of equipment corresponds 
to its replacement ccst. For example, if a high-speed line 
printer cests $5000, then its loss astimate would be the 


h 
Same - tne command has the potential for losing 35000 ir che 


printer were to be destroyed or stolen. 


imecns second ana third cazvegories, icss or destruc- 


tion of data and rro files Pand th 
2a 


great deal of attention in recent y2ars. The Comm 


a 
Naval Data Automation Command (COMNAVDAC), spert a signifi- 
u 


E amount cf time and money in zryirg to bring the quss- 
eon of the all: OS d1 906 Derspeczivs. Scme 
consideraticn was given to standardizing data value based or 
mee number cf lines cf cede and/for Security classification. 
EE gie Line of code in a 100-line program file ight be 
Nalued at $10, ícr É 7٦03-0 ۲٣ 9 ۴7 06718001-229 


Pepe would thus contribute $1000 to the agency’s ALE. In 
essence, it would cost the ccmmand $1000 to zeconsiruc-* the 


file. E STITT manrer, i atword of SECRET or TOP SECRET 
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Bene, if compromised or stolen, might be valued at 3100 aná 
$209 respectively. Ey standardizing these values, computing 


the ALE for most types of computer software would be 


sv 


rh 


Simple matter of mathematical calculation, with ines o 
code (the amount of money it would ccst a programme e 
reproduce tre code) being an absolute valus, and classified 


code representing a relative value. In theory, such usethcds 


have a scund basis. PISE AO AS vez) ene application 
cf such methods has proven to be rathe unrealistic. m) 
8 CCMNAVDAC has Tecentiy abandored 21325 2%tE0DtTS tec 
Pide for standardization in favor of more practical 
methcds 

"Tf the ADP system is used tO ccontrcl other assets 
such as cash, items in inventory, 527731706272 6107 2507 
performance of services, then it may also be used to susal 


such assets." (Ref. 22]. These asss-s are known es indi- 
rect assets, and their loss estima-e corresponds tc the real 


valus c£ the asset. 


In estimatinc the pctentiai loss caused by the delay 
memorevyenticn cf p processing, s2véeral consideraticns 
must be addresse Some losses may be estimated in a rela- 
tively strai یہ کہ‎ manne-. Obvious exambles invcive a 
Esc ure to Drccess payment checks prolem thereby 
preventing *he exercise of a prompt paym=n=“ discount under a 
۶0 12۰-7 contract, or delays in an inventory system which 
may lead to idle manpewer at a warehouse [Ref. 22]. nM 
Beeedaticn where a cCcmpucer facility functions as a service 
agency, the loss estimate would be based 92 The revenues 
los: as a result of the customers being denied access to the 
computer system. On the other hand, "...in those situaticns 
where a delay would more or less hal: operations of an 


Excuse the daily operating cost cr an agency as 
0 


"y 
(p 
Q 
O 
0 
ci 


۶۰۱۹ zule-of-thunb estimate of +! 


processing" [Ref. 22]. 


23 





Mg eneral, cbere are time Targss or limits within which 
loss estimates will differ. If service is denied but the 
system can ke brought back up witnin a reasonable amcunt of 
miley it iS possible that no loss will be incurred during 
chat time period. However, after a certain pericd of time 
MELO Which <he computar systen has not been returned tc 
service, iosses will be incurred, and in general, such 
Bee Will grow in proportion to the duration of the delay. 
The FIFS PUB stresses the importance of establishing this 
"maximum ‘ne loss' delay time and an es-ima-s of the median 
EM: EO zeccnstruct the ADP facility att¢er total destruc- 

av 


aoa f Ref, 22]. Once these time/cost boundaries h bes 


9 


| 


TABLE I 


Loss Exposure 


| ۱ 
| | 
| Loss of Theft orf 7035۶7 و 2ہ‎ oe 

Sk Data ہپ لے‎ Asserts Procsssizt 
| C Yes NO NO Extrsms | 
| | 
| R Yes Yes Y 33 ج3 16ا‎ { 
| E No Yes Yes Moderats | 
| | 
| T NO Yes Yes LOW | 
| | 
i = No No NO Very Low 
| | 
| ۱ 
0 —— — —— | 
made, then -nae time period can be divided int varicus 
ranges and less estimates can be assigned accordingly. 


Mecem concuccing @ preliminary eEStimaze cf ail potential 


losses, the task might be simplified by m th 
able I 


(b 


pgUzc-ecd data in tabular fora, as Shown Ín 
ENSractsd from FIPS EFUB 31. 
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| 
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TABLE II 
Sources for Threat Information 


I3 


hrsat 


Bm 


(V 


E codd 
Earthquake 


8۰6.5-6 


Fower Failure 
Air Condi- 
puocsing Failure 


Ccmnunica- 
*iocons Failure 


ADP Hardware 
Failure 


Intrudzrs, 
Vandals,etc. 


Ccmpromisíng 
Enanations 


Te aal Trefi 
or Misuse 
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Sources cf 
Information 


Burld-agerfiro mar: 

Shai and iccal fire 

department 

۸۰۰۹ Oz 

در رو 

Na IS سرت‎ 

E Taco ٦ 
enter 

National Oceanic 

alû Armosphezic 

Rates + and 
0 ۹۹ ۹۹۹۹ ٦ 

۰۲3 ة5 ے8 

Orfice 


oe‏ 9 3 و 
and maca Puno‏ 
utility‏ 


507٣8502۲0+ 5662 
Annee Condi- 

ER vendor 
Federal Tele- 
communications 
Sysren, buildin 

ana local telsphors 
company 


~ = سو‎ a 


ve 
and Federal Supply 
Service 

nm‏ و 


security d 
ana 2 0 5 231605 5 Of 
pede و‎ pi ots ctive 
Service Man 


agement, GS 7 
Hardware vendors 
and) £m]. Office cf 
Fel aol Protective 
SEV CS NaS 
agement, GSA. 
SEEN OES a 
Pomerat AU and 
Personnel Divisior 


ہے کے ہے ee vague SO ee Se = mm, cee Sc ee‏ ہے جد ls n0 eR.‏ ے Coy, aa. ET u ee ٠‏ ست سے تہ ے _ے ee ce ee Dr‏ لھھک eg a eR EE ee em i i‏ سے ہے لس 


| 








Eu rcccedrng wicn the second step of the risk 
Assessment, chat of evaluating the threatsogainst “he ADP 
facili-y, the ADP Securi-y Planner (is. the person fe 
sibla fer ccaducting the cverall risk assessment) should 
solicit the help of fire marshals, hardware vendors, cther 
goverrment agencies, in house personnel, and/or any agency 
ENESSIrSopn who might contribute inputs co a threat gvalua- 
SION jee El. prevides a list of sources of information 


for different categoriss of threats. 


Hough the FIPS gives litle ir 


specific numerical figures to use in guanti 
n 


does provide «specific guidance on dstermining threat pereb- 
abilities. Figure Z.1, for example, a seismic risk map o£ 
the United States, gives the user a rough idea of che lorg- 


term hazards caused by earthquakes. 
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FIPS PUB 31 
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3. Calculating the Annual Loss 


ا 


xpectancy (ALE) 


m A ass 


p^ 


The final step in the risk assessment  prccsss 
itself, although follow-on acticn is understood, n 
the determination of the ALE. This can be accomplished (a 
Mesa daily und=csicod) by constructing a matrix of threat 
and the lcsses which might be associated with then. Tat 


a 
III shows a computation for estimating the zxpected lcsses 


Qs 


that might te caused ky fire damagza. 


Gonstrucelon cf such a cadiz is a common procedure 
in cperaticns reseazch and management sciences where th 
objective may be to tinimize losses (as in this case or 
maximize profitis. The oCGum=snc= pzobabzlities shown (. 10, 
E05) may bes derived by analyzing the facility's fire 
safety precautions, a procedure for which the FIPS PUB gives 
detailed guidance. 


Tne dollar amourts for loss may be comruted as 
described earlier in the chapter. Once these figures have 


been made available, estimates for ths total potential loss 
and the arnual loss for each category can bə calculated by 
DN lying thes cccur-zencs rrcbabliity by the loss figures. 
Similar tables can be constructed ror naturai disasters such 
8> Tr hquakes, tornadces, volcanic eruptions, floods, and 


Seners. 


DimemmeotpLeticn of ¿he S¢St2mation of the ALE for all 
Categcries cf loss, “he security manager should have a 
EB zer Understanding of “he coupling or threats and lessees 


T 


Eun his facility. He is then ia a position to prioritize 


his werk in the area of computer securi-y countermeasurss. 
In general, remedial measures should be aopli2d tc «hese 
areas in which the loss potential is the greatest. The end 


result, then, of tke risk assessment process is a cost- 


Bepeei= analysis of expending funds towards tihs "securing" 
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TABLE III 
Estimating Fire Loss 








4 
9 
E 


Loss Fire 
Probability .0008 

Building Damage $3,700,000 

3 | ADP Hardware 2,100,000 

S| General Equip. 285,000 

33 | Supplies, ete. 130,000 

30 | Task D-—Delay 35,000 

£” | Task D-—Delay 100,000 

2 | Task Y-—Delay 250,000 

File Reconstruct 85,00C 

Total potential loss 8,685,000 

Annual loss ... $ 3342 
و‎ 
ema SsPecific computer security weakness. Er, TOT EIU, 


E 
= ALE fcr building damage caused by fire is 3 9, 


2n C TOO, “Ene 
eeemey should be willing to spend ap to that amcunt ir 
providing remedial measures to lesser that loss petential. 
The risk assessment  wiil thus provide tne security manager 
with the ammunition he needs to gst top management suppert 


cn funds fer security countermeasures. 


The preceding synopsis of the FIPS methodology migat seen 
to bs, as presented, a relatively straightforward process. 
ہت‎ ver, the FIES EFUB clearly states, "...this is ne 
exact science. Indesd, ir is quite 
hav2 to rTeappraise threats and 10sses more than crce, 


concentrating on the areas initialiy icentified as mest 
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Se 2cal, before tre less expectancy estimate reaches a 


Euegcfactcry level of confidence." (Ref. 23] 


The level of detail provided fcr tne above FIPS PUB meth- 
odology will serve as a point of rerarence for descriptions 
cf subsequent methodclogies. Other risk assessment metho- 
dolcgies will be discussed in terms cf how they differ from 
the cne described in FIPS PUB 31. 


F. SUBSEQUENT GOVERNMENT DIRECTIVES 


Shertiy after the release of FIPS PUB 31, the Privacy Act 


cf 1974 was enacted. 6 55 32ت‎ 3113 70-105 distributed six 
months latex, was written to assign responsibilities for thse 


Security cf the perscnal records maintained by Federal agé:n- 
cies. Heder this directive, the tesı "system oz z=ccrds" 
efri ined as "...a group cf any zecords under the control 
Cf any agency from which information is retrieved by the 


En of the individual or by some identifying number, 


symbcl, See oc or Lochinvar g particular assigned to the 
Exuvsdual" [Ref. 16]. Since computat and word processing 


systems are perfect vehicles for data storage and retrieval, 


it was and is only natural that they would be used fer the 


maintenance of  rerscnal records. A-108 further mandated 
that reascnable administrative, eec cal, “and ۴97٤ 


8 
Fareauards are <sstablished to ensure inat pe2rscnal records 
ar eniy disclosed to those who ars authorized tc have 
access to then [ Ref. 17]. nca io eS o har security coui- 
termeasures must be in effect for all fed=rally-cwrzed 
computer systems maintaining personal data. The dirəctive 
also required that the GSA “revis2 computer and telecommuni- 
caticns procurement policies to provide that agencies must 
review all proposed equipment and services procurements to 
Breite ssecnrliance with aprpilicabls provisions of the Act" 


(Ref. 18]. This was the first of many government directives 
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that federal agencies address security issues in‏ 0 ہے دہ جج5 
their cemputer déevelcrment and acquisition plans. However,‏ 


=o 
aud 


eA 


outside cf FIPS PUB 


which was very limited, 


air sche 
she 


pcliciss and procedura 


dis- ribut on knowledge of 


Federal Governn as slcw to 


document specific ror implementing 


computer security prcgrams. 


mally, thre yars later in July, 1978, OMB Circular 
ASIA, entitled "Security of Federal Automated Information 
Systems", was approved for distribution. Dh ۶۶۶ 1 e mc 


purpose cf A-71 was tc 
fcr the 
security prcaorams by executive 
cies" (Ref. 28]. 


that re-icdic risk ass 


promulgate "policy and responsibili- 


ties develcpment and implementation cf computer 


branch dsparz-ments and agdgen- 
This circular documented 


be 


the requirement 
essmen-s conducted by each federal 
ALS A-71 


Fogseenduct a risX assessmert, 


agency cperating a computer Si ough 


provided no guidelines on how 


Dd require that a risk assessment be carried cut or 


ay ccd under any of the following conditions : 


EMEN cr -o the approval cE design specifications fcr 
new computer installations; 

2.) whenever there is a major change دع‎ the ohysical 
Macias y, hardware Or sofware; or 

Bey at periodic intervals of time, not exceeding five 
years, if no tisk assessment has been performed dur- 
MG Ehat time. 

Ref. 25] 

This directive had serious corsequences for ell federal 


agencies For nost ageicies, iha hird condition was the 
one under which the isk assessments would be ۲0 ٦ 
Those agencies which had yet to perform a risk assessment 
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Exurrreteg the condition as meaning zhat they had a five- 
year deadline on the requiremenc. Unfortunately, e 


siowed response from many federal agencies. 


Memprecuulgate the requirements of A-71, the Department of 
the Navy issued OPNAVINST 5239.1 in April, 1979. This 
instructicn specified the A-71 requirements for all DON 
activities ھ۲۰۳٢‎ 1976۰ 30ب ۱7 ۴ ےج ح5‎ 0٣3-24-41. 96۰7٣ 
the Ec. ies provided by A-71, didû -requirs that all DON 
activities 3--271و ەت 08 ظ0"‎ 2110560-3 9 3 1+ 172 
SB-ceuraty Cfficer whe would be r O 


e 
a risk assessment wculd bs cond 


۲ 
E 
O 
t1 
(D 
رتا‎ t 
a 
<j 
(» 
5ے‎ 
ct 
—_ (D 


u 5 
2c losurcs that were 35106826 Las pac: Of 
ers DOD S5200228 1A enzıerled "Tech 8 
Procedures fcr Implementing, Deactivating, Testing, an2 
Evaluating Secure Rescurce-Sharing ADP Systems", and a set 
guidelines for  ccnductin Tisk assessments w 

edited by Susan K. Reed. he form 


POPS Security Manual, 


H 


h 
و‎ ٤ 
vid=d standazdizea guidelines for 
s=curirg computer systems - it did not address risk 


a 
ments; the iatter,  howsver, provid2d an excellent generic 
S 


framework fer conducting risk ass2ssments. I-'s merit wa 

Eun facilitating the security officer's understandlirg of 
the risk assessment model than in ths actual  me-hodoigy 
proposed. The technique presentsd ay zhe methodolcay is 
millar teo that presented in FIPS PUB 31, but is a more 
mathematicaliy-oriented model. These guidelines were later 
released in August, 1979, as IPS PUB 65, "Guläsline for 


Automated Data Processing Risk E oo 


G. FIPS FUB 65 027٣ 


In genezal, FIES PUB 65 "explains the reasons for 
Berferning a zisk analysis, details -he management involve- 


ment necessary and presents procedures and forms to bs used 
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INES XxX analysis: ald cost effsczive evaluation cf safes- 
Tas" [Ref, 26]. Unlike FIPS PUs 31, chis NBS publication 
G2ves no guidaace on estimating suecific loss prckabilitiss 
(ie. there are no seismic risk maps or tables with hurri 


C 
probabilities for various regions), but it dees provide a 


better ard more detailed explanation of the quantitative 
measures and forms required for a risk assessment. In 
EE  FIPS PUB 65 covers the ambiguiries present in FIPS 
Peet. The two in ccmbiration provide a powerfui framewcrk 
náer which a viable risk assessment can be conducted. 

Like most méthodolcgies, th2 one advocatad by FIPS PUB 65 
reccmmends that a preliminary security analysis be perforned 


CTT zo identify a ccmputer installation's as 
Beats, vulnerabilities, and thus, the facility's security 
posture. bie spec) GTO NSE WILL resul- item this 


pU2minary analysis : 
1.) a lisz of asset replacement costs; 


meee list Of threats to which the faciil-y is vulnerz- 


m 


Pepa list of existing security measures. [ Ref. 27] 


Mm@ese products, once assigned quantitative measures, will 


Poem the basis fcr the computation of the ALE (Ss). 


fememmex= Step in the FIPS nethocology is to quantify “ha 


Meses fcr impact and the frequency of cccurrence for 


The impact of an event is defined as “the exact‏ . ج٢‏ 3ء۲۶ 
amount cf damage it could cause, «hiis the zequency of‏ 


occurrence refers tc the exact number of times the event 
could cccur. (Ref. 28] The common denominator selected for 
BE Emcasuzes is monetary value, and a year is the tine 
period against which frequencies of coccurrence will be 


EEcccsedge fo samplify such gquanticative measures, estimates 
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for impact and frequency are rounded o 
The range cf measures for both categories is shown in Table 
EV: 





ee 


TABLE IV 
Orders of Magnitude of Estimated Impact and Frequency 


| | 

| | 

| | 

| IMPACT: | 

| $10 | 

$100 | 

| $1000 | 

$10,000 | 

{ $100,000 | 
| $1,900,000 

$197 000,000 | 

| $ 100,000,000 | 

| PRODU ٥ | 

Once in 300 years | 

| Once in 30 yaars | 

| Once Vin 3 > (1000 days) i 

| once an 100 days ۱ 

Once in 10 Gays | 

| Once per lay | 

10 times per dav | 

| 100 times pez aay | 

| 5 


The FIES emphasizes that rounding off the figures will 
not have a significant effect on tha overall ALE. Ths rele- 
Vance lies in oczders of magnitudes rather than in absclute 
figures. Tus aee lL be ne signifi cart difference in 
tke overall exposure whether tne damage from a certain event 


is estimated at $110,000 or ۶1۷5۶۰09010 ےم 66) ا‎ the 
frequency of an event is expected to be twelve times a year 
CELE tU Ref. 29]. Once che impact ana frequency 
measures have been determined, the ALE can be readily calcu- 
Moe dg “sang che zollcwing formula: 
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LOSS = IMPACT (I) x FREQUENCY OF OCCURRENCE (F) 


Tc use this fcrmula, however, ERS LiIrszerecessary to 
index the impact (i) aná the frequency (f) m2asures from 


u 
Table IV. The resulting indices are shown ir Table V. 


رد بب رر MI‏ 


| 
TABLE V | 

Table for Selecting of Valu2s of i and f | 
i 

| 


| 
| 
If the estimated cost impact of -ne 2vent is 
$510, lat ji = 1 | 
5100, je-ıy= 2 
$1000, lət 2 = 3 | 
510,000, lez. = 4 | 
$100,000, iat 2 = 5 | 
۱ $1,000,000, let i = 6 | 
i 310,000,000, lst iż = 7 i 
| 219050095900 let = B8 | 
| Mins ESM. Nad Erequency of occurrence is | 
Once in 300 years, lez £ = 1 | 
Once in 30 yéazs, lar f = 2 
Once in 3 ELE lez £ = 3 | 
| Once in 100 days, let f = 4 i 
| Once in 10 days, Dore 9 5 | 
ت8۰۰‎ 2 ver Gay, let f = 6 | 
10 tines per day, Lea -۔‎ / | 
100 times per day, lər fF = 8 | 
| 
| 


| 
| 
A ed 


House the indices in the previous equation, they must first 


Bemrelaced tO Impact (I) and Frequency of Occurrence (F). 


Such relaticnships are expressed in the following equa- 
ons: 
| 1 
Ber Milpa ct, I = 10 


q M 


f 
men FrEegquency, F = 10 /3000 
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ec he impact of an = veni 2S estimated at $100 (i=2 
1 
from Table V) then I = 10 = 19 


frequency cf occurrence is 


100. Sinai pai the 
A mated to be once per day 
(f=6), then F = 10 73000 = 10 /3000 = 333.3. 


Consider the follewing practical e2xanpl:, where 


O 
e 
ا‎ 


$v 


potential impact of a hurricane is $100,000 in damage 


ct 


e 


Bouputerz facility, and the fraquersy for a hurricane is once 
W 


Mitty years. The ALE would then be computed as fcelicws : 
IMPACT : $100,000 (i=5) 
> 
I= 10 = 100,000 
BEEOUENCY : 1/30 years (£22) 
2 
m= 1G 72000 = .0333 


BOSS: ieee = 10G,000 x 20599 = 3,3309 


Eus. “he ALE resultirg from a hurricane weuld be approx- 
Eunxcely $3,000. 


It is not nacessary, howvever, <TC computs the A 
these  tedicus and cumbersome *quations. Or cc 
Eu des figure 2.2 tc facilitate the process. Toc AEE > 
a particular event can then be fcund at the intersecticn of 


the values estimated for impact and frequency. 


When all ALES have been calculara 


Cu 
~ 
ct 
D 
(p 
f» ry 
un ہ۲‎ 
td 
{N 
RJ 
Ci 
DJ 
tn 
ES 
Ne 
ua 
i 
(n 
p ci 
in 


that the approach to the remainder of =h2 task b3 done in an 
C 


crderly and structured manner. In short, it recommends that 
che tisk analysis task is better apprcacked from the 
Rd cl: ct the data files, or applications systems, of 


Which there is a finite number" (Ref. 30]. 
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$10 






$100 






$1000 






$10,000 






| 

| 

| 

$100,000 
| $1,000,000 
C 







$10,000,000 





$100,000,000 





Su An ur un D A A |‏ —— سے چیہ سک ھی 


Figure 2.2 CompDinsd Marra o£ i, Í, and ALE. 


m ems of such software considerations, The publication 
discusses thre2 conditions which might re a 

a ccmruter system were realized : Di 

Meseeccicn or unauthorized modification d 
BONSTDENIIALITY (is. a compromise of classified da‘ 
۲١٠٠۰۰۰3 8۶110177 (pertaining =o che amount c£ ti 


m 
computer system can ke returned to service after failure). 


Zar me one ne zeccrdına 60$ the 
FIPS PUB supplies the work- 
3 


To provide EUGENE O 
Lisk assessment findings, che 
sheet presented as figure 2, Sica ca MOZKSASEE m ght 
Simplify the record-keeping aspect of the process, but it is 
Ea sugges-ion - if used, 7۰۰۰-٦071١ bse ۲۶6۰232۴307 OF 


poulored tc a2 acency's needs. 
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* 1ال( 5 50 1 ۔ل‎ 08۸ G9 and SdIJ EZ SINDTA 





(HIV) j (FIV) j (FIV) (FIY) (FIV) (FIV) 
10 0/0 0/0 0/0 (1) (3) (I) | (3) (1) 


۸ 1 7 77۲٢۳ ALUIVLLNWGIAINOO | uononzgjse(p uoneoyrpow SAA PIPA 
0 VLVd ALDIDOHLNI VLVGd INOLLVOIId4V/WALSAS 


8 3 














Doris particular worksheet, data files ara listad sepa- 
Barely, and arranged by application. Impact and frequency 
estimates and ALEÉE(s) for each category of  *hzsat a-e then 


listed alcngside the associated file. À ccmmen-s column is 
provided to allow for an amplification of the figures shown. 
As an additional guide to using these work sheets, the FIPS 
FUB presents a practical ¢xample (for a smail organizaticn) 


of a ccmplete risk assessment. 


The FIFS PUB attempt to structure the risk a n 
process adds a degree of credibility to the overall methc 
ology.  Hcwever, it is unreasonable to expect that the whole 
process can be carried out as a "cookbook" meth 


O 
ente limits +c Structuring such a task, particularly 
h T E 


in areas such as identifying and estimating che hreats 
against a faci Sy. in short, "ADP risk analysis is a tech- 
Ele which relies heavily cn the intuition, #2xperience and 
technical knowledge cf the team members" [ Ref. 30]. 
He CURRENT DIRECTIVES 
Approximately a year after the release of FIPS PUE 05, 
n e document entitled "Risk 


ECC NES distributed a ten-pag 
Analysis Standard". The p e 


ür 
momstandardize the terminol 


yand concepts o¢kind tne ٹا‎ 
philosophy for conducting risk assessments. TES zer 
supply any specific quidelirnres or methodoiogiss. 


ponmaldlv. Zn August, 1982, the DON approved and distri- 


buted CENAVINST 523%.1A, a full and comprehensive manuai 
desczibing tne Navy's ADP Security progzran. A STI Can. 
portion cf this manual addresses  -he approved DON risk 
assessment rethodology, complete with forms and specific 


Bere ceticnhe. The procedural aspects of this astaccology will 


~ 


be presented 2S 2 practical framework for a risk assessmen 
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that cculd be ccnducted at the Naval Postgraduate Sctocl. 


in Chapter 4. 
ed how the currently-arproved DON 


Figura 2.4 shcws a 


32۰2٠٠ ٣٣2٦ 03:77۶ 


This charter ha 


s descri 
evolved over the y2ars. 


pethodoloav has 
time line ci the events leading 


CPNAVINST 5239. 1A. 
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Time Line of Government Directives. 


Figure 2.4 





A. GENERAL 


wh ethe distributicn 2ہ‎ 0498 Circulaz A-71 in 1978 came 
X 


the requizement that a "Risk Assessment" (sometimes re 


OES a "Risk Analysis") bssconduceced ar -ach computer 
Mmecailstion operated by a federal agency. Ahilis thse risk 
assessment  methcdolcgy currently <6 01801.260 ٢72ط‎ ne 


Department cf Defense is a manual sys-3m, th 


(D 


re aza commer- 
cial software rackages available, ao- abiy PANAUDIT by 
Pansophic Systems, which could ftecilitats the "nunbez- 
Crunching" aspect of risk assessments. Unzerzurarely, ches 
٣۰٢۰٠٢ ٥1 softwar 7-۳6377۰۲۰4۹۰6 -0337016 7 and thus has 


IMmited arplication tc Navy computar systens. 


st few years, numerous governmenz dir 
S 


٦۲-6036166 ss tor E eopaucteng si 


wo m 
pa 
t4 
0) 
(n 

O sv‏ ب۲ 
E‏ 


ezn disseminacted. Many of these nave re 
jeans effo 
٠۰٠5۰. In 1977, in a 


methcdolcay that could be applied to various sizes and typ 
n av 


ON DE Da. OE government and co 
a 


0 


EOE تب‎ pertect 
Seeeccmpucter systems within «he Department of th 
COMNAVDAC lət a CONTACT NC Systens Development 
Corporation (SDC) zo dzvelop ana document such a m 

involving ent sacerer,zeuppor.‏ ۲286 ہے This‏ ا 
services, falls under tha Policy/Program Review catsgcry‏ 
Outlined in NAVMATINST 4200.50C. The justification for‏ 
Ben racrıng cut such ^a service was Undoubtedly a matter of‏ 


the expertise held ty the commercial marketplace. The 
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EM or the contract with SDC is contains=sd in NAVDACINST 
Damen, the Department cí the Navy ADP Security Manual. 
MEC s-:11 in draft form, EnegsdgocsmDutcon ot this ganusai 
will serve as an excellent reference for those Naval agen- 


webct to initiate a risk assessment. 





1. fhe Need Ior Contractual Support 
Many gevernment directives pertaining to ADP 


Security rrcvids guidence on tha in-house personnel an 


- 


agency must use to form their risk assessment tean such 
perscnnel genezaliy include ie fron ADP 
Operations Management, Systems and Applications Programming, 
Adware Maintenance, Communications Engineering, Internal 
EN :ng, and the Security Staff. Since a comprehensive 

ess, diverting tha 


risk assessment iS a time-corsumirg proc 
c 


Eus ccs cf thess individuals from their rornal 3iu-ies could 


well create a hardship within their divisions cr derart- 
ments. This potential hardship was recognized by perscennel 
ad: _NAVLAC who began to consider the possibilities of 
Ang for contractual support in conducting tisk assess- 
ments. Although previous a ۰ Orly discussed 

Sing in-house 


conducting risk assessments in terms cr u 
personnel resources,  NAVDACINST 5510 

Bed ecertraczors may be used wich prior appro 
NAVDAC. 











2. 2 Erototyps Ícr a Coniraczsd Risk Assessment 
٣۰۰۰ء‎ <7 90,1 personnel at the Fleet Numerical 
Oceancgraphy Center (FNOC) in Monterey, Ca ornia, kegan to 


a 
Bey Sericus doubts about «heir abiliz 3 8 5٤ 
in-hcuse risk assessment. Toce Cono er configurat:con ai 
FNOC, consisting of numerous large-scale mainframes,  commu- 
n-caticns networks and devices, minicomputers, and veri- 


pherals, was extremely large and complex. It would be very 
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difficult to spare the key personnel needed Pee noe Sk 
assessment team from their everyday duties. NIE M -nle XT 
mind, c6 ADP Security Officer at FNOC wrote to ٤۳ 
asking fcr guidance cn using contractor assistance.  NAVDAC, 
which had keen giving this issue a great deal of thouant, 


eed tc use FNOC as a prototype for future contracted 
risk assessmen-t efforts. Doexthoscenid, NAVDAC offered to 
lend technical assistance, provide iaison with the 


T 

contractor and other knowledgable government agencies, and 
oversee the entire pIccess. The GOverament agencies tc be 
meveorved (directly or indirectly) in the process are those 
shown in figure 3.1, which was sxtracted from NAVDACINST 
DOS 1X (Ref. 33]. These agencies roughiy parallel these 
which play a key role in fsásral acquisz-ion policias and 


procedures. 





While the end resuit of tnis contract effort was to 
ke a ccmcleted risk assessment, it was also serving as a 
Standard against which future risk assessments cculd be 
conducted. TRUS, aS eo nee eR r OSa during -bhe project, 
NAVDAC documented them and considered ways in waich che 
pzocsss cculd be enhanced and standardized. This study wiil 
brisfly summarize the events that occurred during F 
risk assessment, show how NAVDAC monizore and Cc 
the whcls process, and describe how NAVDAC has streamlined 
Smee yS-cm tc facilitates contractor support on ar 


ty's risk assessment. 


53۲٣۲36 ٤ٴ 75۔ب‎ ۲ pmnicrJ3*y in assisting FNOC vas £o 
er her a pocl of personnel whose tachnicai  sxper-tise would 
mrerizsate the project. Te tiis end, PNOC was prov»ded a 


copy Of NAVDACINST 5230.14, "Procedures for Requesting 
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Figure 3.1 DON/ADP security Organizational Relationships. 


Services fren Navy Regional Data Automation Centers 
(NARDACS)". FNOC*s task was to generat? a letter requesting 
technical support services from NARDAC, San Francisco. 


a 
inciudged in this letter was information pertaining to 
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Ect title, requesting command, type of request, objec- 


Bere, security classification, and funding. 


[^ 


1 
the scurce of the funding is an important considera 
requesting NARDAC services. "Commencing in fiscal 
all Navy customers ot a NARLAC, except Navy industrial Fund 
Activities, will be supported on an entirely missicn funded 
basis...Unpregrammed costs which cannot be accommodated will 
be subject cf discussion betwean thea NARDAC and tne Customer 
to determine if other means of funding ars available" 
(Ref. 34]. rn ENIS 1ذ "132۰767۱۰۷۶۸۱86 3۰ت‎ ۲604092720 $100K Tor 
the risk assessment project, and ths NARDAC nad no funds 
available. It was thus determined tha z FrNOC would remit the 
$100K to the NARDAC, who along with NAVDAC, wculd use the 
Bundes <C CCS! the costs of the government's technical 


ASE: perscnael and the centractor's fees. 


Cnce the method of funding had been determined, 
NAVDAC sent technical exoerts frcm the NARDAC, NAVELEX, and 
NESEA (Naval Eleéectrcnics Systems Engineering Activity) to 
OC to discuss žhe program with ADP Security personnel. 
These personnel outlined the projec-: and generated a docu- 
Memeo EFNCC's computer assets for use by the contractor. 
LAC, in che mtantine, was using inputs fren this group to 
Menerate a clan cf action and milestcnes that the contractor 


5 
Neda be expscted to follow. 
eee fhe Contract 


NAVIAC handled all the require 
aac) awarding the contract. Tas. det 
negotiaticns, evaluation, selection, and award we 
avallabls tc the authcrs. Arter the negotiatiors had been 
completed, the contract was awarded to Systems Development 


eerporarıcn (SDC). 
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Ey the time the SDC personnel arrived at FNOC, hey 
hed been in constant touch with che project manger at 
NAVDAC, and were well aware cf che tasks expected cr them. 


By interviewing perscnnei from all areas of FNOC's crganiza- 


tional ccmponents, reviswing computer  configura-icn sche- 
Matics and documentation, penetrating computer security 
vulnerabilities and merging “hem with potential threats, 


they were able tc assess FNOC'S Security posture and M S. 
the required documentation and Annual Loss Expectancy (ALE) 


figures. 


6. Future Risk Assessment 


(D 
O 
j^ 
(t 
t1 
liv 
qt 
in 





Since a risk assessment contract will call for a 
Seueay or analysis of the security aspects of an existing 
computer system, it will have to adhere tO the Teguiren 

Geer AVMATINST 8200.50C which addresses contzactor support 


services. TEBErNOCI Teen rac mas 1 ۶ indication, EU ure 


1 


risk assessment contracts will undoubtedly exceed $50k, and 
thus will requizte legal review and approval by "...a level 
no Icwer than Flag or Genstal Officer or individuals in the 


۰۰ -٢ Exscu*ive Service (SES)" [Ref. 31]. 


DEN EOL TO make ENGE azd its perent commard, 
Commender, Naval Ocsanocraphy Command (CNOC), more autonc- 
u 


related 


ct 
6 
14 
a 
d 
© 
H C) 
ui 
(D 
N 
Es 
t1 
I? 
u 
ne 
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ir Contracting -ior tu 
ices, NAVLAC recently drafted tetten in uhi ch The 


Securit Cece. ORL and <Contzaeer 


V a 
subject line reads, “Automated Data Proce 
al O ista 

document wii be invaluable to any Na 

Engl ccrmtrect support in compizting 
mimenough che irformation will not be afforded 
aestribution, NAVDAC is amenable to providing it when 
requested by a Navy activity. The several enclosures to the 


fecwmen= constitute sample ADP security contracting docu- 
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ments, which as NAVDAC mentions, MUSE Da 1 6وہ‎ 020 


pa 


eeeemtic tasking requirements and coordinated wiíta the loca 
Navy Regicnal Contracting Center NAVDAC's purpose in this 
EE is "...an attempt to assure that Navy activicies 
KES Us quality contractor ADP security reports and products 
۰۰.۰.۹1۶۰ invested" [Ref. 32]. 


Among the enclosures is 4 sample statement of wo 
which may be tailored and included as part of 4n activity's 
Request rcr Proposal (RFP), cr in NAVDAC terms, Task Ord 


or Task Request. The sample rot oniy addresses risk ass 


iD 
(n 


uments, but also includes other ADP security areas wnich may 
۲۰-٦٥٥٥٥٤۰ £or cortractor assistance : Risk Assessment 
۳۰۰ ۔وتت‎ Contingency Plan Testing, and Security Training. 
rS the job of an activity's ADP Securicy Officer tc write 


a task request based on the statement of work,  desczibin 


a 


BEsrecific arza of tha work required. NAVDAC's samrle 


work statement has spsciftic guidelines on the necessary 


Nana, including a list of militery publications to which 
Meemccutractcr must be responsive, and a tList of required 
dsliverarles such as summary progress rep le ce 


Bemesecatance, and contract financial progr p 
٣٣۰۰ wcrk statement also includes an option to extend the 
EA a 


Berm cr zhe statement of worK. hS Kl 


& 
Ec oscetead by the contractor end ar the cp-zon cf ths 


: in add son, NE VDAC wr 


NQ 
O 
<j 
(Y 
H 
kj 
8 
(D 
1ت‎ 
if 


Gcvsrrmen*t-Furnished Equipment and a 


9 
9 
activity should be prepareúá to pvrovide the c 
u a 
1 


Other documents NAVLAC nas included 

Megerect Security Classification specification, 86 7ب‎ 

tne security consideraticns and access 204 01ا‎ ۶3327:517۶ 
rarenent, 0" پهھ‎ ٦ ٤ 


Ben<cractcr Zerso 
fae minimum au 


9 
EErSOonnel] assigned tc the project; Personal vs N 
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Beeveces Questiomnaire, a document used by the contracting 
officer to determine whether cr nct the solicited service is 
nonpersonal; and the Contract Data Requirements List, which 
describes the required daliverables. Tasse are ail standard 
requirements for an RFP, but they have bee 
tailored for a Risk Assessment application. 

As cf 28 July 1982, NAVDAC had approved six organi- 
Bons to ke included on the Biddar's Wailing List. These 
Euuenizations and «heir quaiifications are shown in figure 


832. Az the time of this writing, three were qualified to 


conduct risk assessments, but only tao of these nad DON 
= 


approval. Two of the organizations listed were small busi- 
nesses. 

Mano. these vendors wali De nociried ot a task 
request by the Certract Administration Oficer a0): 
Vendors are required to pick up the task request within a 
٣ء۶‎ >2 21631۰. NAVDAC refers to vendor Isspcensss as 
"Task Order Propcsals" (TOPs). As is the case with standard 


^ 
E3 
wW 
= 
As 
fu 
0 
cÍ 
(D 
٠ 


RFPs, these are due ata specified ti 
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Poe Erorposal Evaluations end Selection 


= sa جو‎ zZ | aw چ‎ SSS جج‎ Se See سد‎ ABO. m wi 


Infcrmation required in a TOP for a risk assessment 
includss "the number cof man-hours by skill category by task 
and subtask, milestone dates, travel costs, proposed pricing 
arrangements, personnel resumes, and technical approach" 
[Ref. 32]. The function cf the activity's technical =valua- 


CS board, chaired by the ADP Security Ofiicer, who is 
generally assigned as project manager, will be to evaluate 


these factors. 


NAVLAC stresses the importance of Gen 7 
sona =1  qualifications in evaluating and selecting the 
۰۰٠۰٠۴ ت6٥‎ Particular emphasis is placed on personnel 


weighting factors, with the result that factors other than 
cost may weigh heavily in ths selection of one contractor 
over another. ThE LIS. CSE aualıtreazions for ccntractor 
perscnnel are quites comprehensive. pococculerliy cGmporeant, 


especially for the lead person assign 


(0 


O EAS CONE oc, OL, 
is experience in ccmputer center operations, ADP Risk 
Ass2ssment rethods, system software qeneration, computer 
security, tslecommunications security, and computer hardware 
Ba änrterccennections. A proposal which describes versonnel 
with less than these qualifications may be considered "non- 
responsive", Node como omo e= conc inulty and s:abilit 
meeomoncut “¿hs length cf the projecz, NAVDAC also sncou 
considering the contractor's response to the requirement 
Midgets 50 percent of original contractor personnel a 

on a Navy sita <o perform a risk assessment Wili re 


Actor the duration of the contract" [Ref. 32]. 


Evaluation of cost factors will generally De handled 
by she  Erocuring Contracting Officer of the Navy Regional 
Bemcracting Center. This will exclude consideration of the 


Bose cf preparing the TOP, which, as is the cass with 


51 





mn 


af 


meme ne: Chal RFPS, is done at the expense of tae contractor. 
However, those prices which will be recognized include "all 
direct labor, overhead, gener2i and administrative expenses, 
EMUGon amcunt for profit" (Ref. 32]. In this regazd, most 
risk assessment contracts will probably De, Cr the 
Bosrterrus-fixed-fee type. Based on NAVDAC'S general 
guidance for evaluation factors and weightings, a proposed 
Mieetnal Sccre Sheet for any activity's TOP evaluation is 
Mieruded as figure 3.3. The reasoning fer =he discrepancy 
between experience and past performance is as foliows : 
experience in all areas listed is cruciai, and while past 
porormance on related contracts would certainly be a 
desired feature in a contractor, chances are that few will 
have dealt directly with risk assessmen-s (considering that 
they area relatively new requirenen-). EMS FC OLS 
a 


should ccnstitute about 20 percent or the tot 


(b 
¡pr 


After the centract administrator has complert the negcria- 
Bons, the selection is made, mg A CS Ok 
EN be executed by the contractor and ie co 


Esrcer" (Ref. 32]. 


B. | CCNCIUSIONS 


۲۰۰۰٠۰٠٠۰٠٠ مث ۶ھ‎ و31٤‎ of the need £or aliowing ccntractor 
assistance in conducting ccmpuxczer risk assessmer*s is beth 
admirable and realistic. Byona activity "could spare 
the perscnnel necessary to corduct a zisk assessment, there 
would undcubtedly be a lack of expertise in the necessary 
policies and procedures. At this stage of =the game, where a 
risk assessment is still a relatively new and conmpli 
menor, few people understand wnat it is, ist alone hew t 
conduct an assessment. (This will undoubtediy change, 
however, as NAVDAC places mora anā more emphasis on ADP 


curity training). 


2 
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Internal Score Sheet 


1. Technical Approach -- weight 30 pcints 
a.) Understanding of Task 
1.) Risk Asszssaent 9-4 an; 
2.) Maticdology 0-u 6 
b.) Besponsiveness to specifications 
in Task Request ھ82‎ M 
c.) Appropriateness cf approach 
1.) Activity's environsen Yops 0-3 a 
2.) Activity's coaputer configuration 0-2 p 


3.) DON-approved risk assessment 
requireaents 0-2 


2. Experience -- weight 30 points 


A.) Computer Center Operations 0-3 
B.) ADP Bisk Assessment Methods A ۰ 
C.) Systam Software Genstation GSN eon 
D.) Computer Security O esas 
2.) Telecoamunications Security رر‎ sees 
P.) Computer Hardware and Interconnections NETE 


G.) Clearance cosgmensurate with the highest 


level contained in the systea 0-5 


| 


3. Past Performance -- weight 15 points 


A.) Conducting Risk Assessaents 0-5 

Be.) Performing ADP Security-ralated projects 0-10 ____ 
4. Sanageasnt -- weight 20 points 0- 20 
5. Location == weight 5 poınts 0-5 _ 


(with the understanding “hat 50% of the original contractor 
personnel remain on site for the duration of the contract). 


OPFEROR : ___ 
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Figure 3.3 Ccntractor Evaluation Score Sheet. 
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While specific detaiis and samples of contract documents 
are available to any activity requesting then, NAVDAC 
encourages tailoring them to the activity's needs. As cop 
management, security personnel, and computer specialists 
beccme mcre educated in -he risk assessment phencmencn, the 
need for such specific guidance will dwindle. I2 the mean- 
tims, gcvernment resources will be saved by avoiding the 
possibility of mismanagement cf contracting for computer 


risk assessments. 
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IV. A FRAMEWORK POR CONDUCTING A RISK ASSESSMENT AT NPGS 

The Vepartmert of the Navy Automatic Data Prec 
Security Progran was 726 Ly promulyated by 
BENANTNST.5239.1A on August 3, 177522 Tne 


provides pcelcy and guidance co. 75697 
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eomeerning thse establishment of local cum e 
9 


processing (ADP) security programs. Each command's 


hora 
fu 


eg 
should be designed with the goal of achieving accreditati 


0 


on 
ne appropriate designated approving authoziry (DAA). In 


P, 


3 


EX 11۰ء5‎ each activit must develcp an activity ADP 
security plan (AADPSE). This plan must be approved by the 
Commander, Naval Data Automation Command (COMNAVDAC). The 
MESE =rcuid document curren*® security envizonnen: =stab- 
lish crogram objectives, and ou+lin2 a pián of EC and 
Milestones (FOAM) É£cr security orogzam implementation. An 


EN that Will be included in the POAM is the completic 


انس 


1 0O 


+ 


1 


a risk assessmemt. A risk assessment may ba conducte 


| 4 
ci 
7 
H 

i 


nally if an AD® activity has the necessary expert 


H 
{N 
iD 


Commercial assistance is available Conduct a rıex 


a 
Ö 


fv 
in 


€ 
me 


0 
(n 
Uo 
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author zea contaci 


cr 
O 
E 
un 


tl 


ment. CCMNAVDAC maintains a list 


erl actor 2£elec=20n. 


Q O 


and retains approval authority for co 
This chapter provides a framework for conducting a risk 
assessment at the Naval Pcstgraduate Schocl. A framework, in 
hé altssnce of theory, is helpful in organizing a complex 
subject, identifying the relationships between the parts and 
revealing the areas in which further development may bs 
required (Ref. 35]. A risk assessment at a naval activ 
Mmiemebe geverned, of course, by OPNAVINST. 5239.14. However, 
mits instruction is very zoad in scope and ccvers the 
u 


entire ADE security s 


rt 


(D 


= 


p 
ecaszary steps fcr a risk assessment , applied to the 
Doo 


Naval Fostgraduate Sc 





A risk assessment invelves a detailed examination c£ all 
Epsaesrects cf a comrute- system; hardware, softwar:, deta, 
procedures, etc. The use of these assets, that is, the use 
of the computer systems at the Naval Postgraduate School, 
M@erud:ng the [BM 3033AP system in she W.C. Church Computer 
Center, various mini and microcomput2rs in Spanagel Hall, 
and independent units obtained under grant by several pref- 
esscrs, Scams vertvally all departments and includes 
۶ ٘ػى.۰۰۰‎ ٣ szwents, and military and civilian staff. This 
BI implies that a significant amount of cooperation 


between different organizations will bə required to succe 


in 
0) 


fully ccrplete a risk assessment. This endeavor requires 
command attention at upper levels co impress upon all 
concerned the importance with which the command views a 


جم 


subject cf this nature. ۷۰ھ‎ ٦ 3 standing, a project 
ci this magnitude shculd produce méaningfui results which 


will serve several purposes: 


h 


1) Enable the Naval Postgraduate School *o proceed 
successfully along the path <o AD? security 
accreditation. 

D- oyide documentation Seating che current conditicn 
em eurity wich respec: © tne computer sysxe 
at the Naval Fostgraduat= School. 

3) Erovide a reference for quantitaetiveiy evaluating 


security countermeasures. 


(0 
3 
a 
B 
ct 
un 
i 4 
I 


iweetovade a platfora from whzch improv 


eennand secun posture can De built. 


A. INITIAL STEPS: PERSONNEL SELECTION AND SECURITY SURVEY 


me ro -:3 1] step in undertaking this project is to iden- 
tify the personnel who will participate as nembsrs cf «ne 
risk assessment tean. Expertise from various disciplines 
such as  compu-er science, management, and administrativs 
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science will be required. Personnel selection is a very 
Bewecass Subject it the commercial environmen=. Donn Parker 
Sec ne Stanford Research Institute (SRI), at the 197 
ona Computer Cenferencs, criticized the concert of 
risk assessment team made up of key company personnel. 
team approach gives a relatively large number of enmployses a 
virtual inventory f£ data processing vulnerabilities. سا‎ 
may be prudent to have risk assessment tean members partici- 
pate in detailed analyses only on a ased-to-know basis. 
(Ref. 40] Hcwever, this situation wil 
the Naval Pcstgraduate School. Giv 
Sient nature of students and staff at 
Bemrowlng recommendations for starri 
proposed. The position Of projecz m 
assigned to the ADP security officer. Tha < 
poSition enzails ars quite corsistenz with the je 

MES Security officer. ۸8813.367 0 5<” 322377 
students trem the Computer Systems Management 
Benputer Sciencs curricula should b- sorties. The 
SITY Of the work required in this project cculd be 
completed by students. The risk a 

thesis prcject for several tsan 
Beeuity members of the Computer Counc 

the rele of thesis advisors while maintaining an active 
interest in the risk assessment pro 5 j 

be brcksn into three distinct phase 


a 
pating in <chese phases would buitd directly upon the work 
5 C 0 


ct 


accomplished by earlier studen 
Zaren night be: 
1) Security Survey, Asset Identification and Valuation 
Phase 
2) Threat and Vulnerability Evaluation Phase 
ENESCTOUutatrIon cf Annual Loss Expectancy and Evaluation 


and Selection of Additional Countermeasures Phase 


S 





(f 
eo 
۱ 5 
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be formal assignment of personnel toó Gh 
Assessment Team is accomplished by th2 issuance of the Risk 
Assessment Team Charter. The charter is generatsd by che 
command itself and identifies chose personnel who compose 
the tean. Sneen Students willbe Dar -icip mg in his 
endeavor, periodic updates co Ps documspce es will) De 


required. The document lists the objectives of team and 


iD 


the 
details the authority and responsibiiity Í sach person. 
h 


O 
EU charter also states the products which + m is 


(b 
ct 


= 
- 


a 


expected to produce. 

Ehesnext step in tha overall process is +o conduct ar 
ADP security survey. ÀA sample survey is listed in the ADP 
Security manual (Ref. 36]. An iten which willi be nesded to 
ensure that the survey is completa is a listing of all ADP 
equiprent lccated at the Naval Postgraduat= School. Th 2 
survey shculd encompass all equipment so tha 
can be interpreted with scme degree cf cerf} 
Meets provide an indication of the current se 
tion and also may shew how much effort will be req 
conduct tke risk assessment. Ic should be noted th 
leê anû accurate listing of all equipment is crucial to 
the success of the overall assessmente Failure to include 
certain equipment may invalidat any assessments made on 


Cther eguipmenc affected by missing items. The majcr compo- 
& 


aS of ihe IBM 3033AP system arə listed in an NPGS publi- 
Eon, nta o due teca so ene Chuzen Computer Center". Of 
@ourse, this information should be verified prior to use in 
this endeavo 

The vast najori of the users are not working with 
high-value data, but rather wich routine, academically 
criented material. No classified data is supposed to be 


Stored on the IBM 3033AP systen. Additionally, most of ths 
Processing done at the Church Computer Center is not in 


support of fleet operations. The results of the survey 
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Ac at= some directicns for the risk assessment +0 pursus. 
The formal results cf the survey should be compiled an 
Submitted as an appendix “o the risk assessment dccumenc. 
The results of the survey also impact upon the risk 
methodology selected. As the ADP Security manual states, 
pies decisicn (concerrirg which merhodology to use) shouid 
be based on the complexity of the ADP environment. The 


complexity is governed by the level of data processed, 


security rede of operation, ADP systém corfiguraricn and 
ior, ard the criticality of the mission." [Ref. 37) 
There are tw  metaccologies available. The most common 
Ecdcloegy for ADP activities is listed inthe Security 
Manual as Methodolgy 1. This methodology appears <c be 
Suitakle for a risk assessment at the Naval Postgraduate 


Senocl. Mathodology 1 is the standard méethodolcgy us2d in 


most ADP environments and provides for suitable interaction 
a 


between threats and lcsses. The risk assessment conducted 
Hccord-:ag o methodclogy 1 can be divided into several 
phases as shown in figure 4.1. As previously menticned, 
Busse phases cculd quire conveniently be assigned to 
students as thesis pIcjecıs. The successful completion of 
each phase is well within the capabilicies of interested 


students. 


B. ASSET IDENTIFICATION AND VALUATION 


me nex: phas in this process consists of asset 2dent1- 
Beeat On and valuaticn. Son cruel cens of inzernation 
are needed to properly complete this phase. ás previously 
E CEU, 2 Complete, up-to date list of all computer 
system assets is required. 7٣۲.٣390007 تح ے‎ 61176 2." 799۹۳۹78 6 
wich maintaining an invertory or all hardware assets 
[Ref. 38]. They should be able to OV 


änforma*+isn in this area. Comdierensss and accuracy arts the 


ide the necessary 
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Figure 4.1 Major Steps of Method I Risk Assessment. 
keys tc the success o£ the risk assessment. O*nerwise, the 
possibility exists that seme piece of ADP equipment not 
listed, ard so not considered inthe risk assessment, may 
somehcw interact with equipment that is onsidered. The 
threat and the associated loss may invalida-z= “he assess- 
ments made previously on related =quipment. 


The cther elements crucial to this phases are the impact 
m 


value ratings. The risk assessment team wiil determine the 
impact value ratings. The ADP Security manual gives scns 
general guidance for assigning these values. Since the 


major purpese of a risk assessment is to provide a quantita- 
tiv2 base for evaluating the cost-effectiveness of counter- 
measures, the importance of thasa values cannot be 
overstated. Primary input for the values associated with 


hardware and software can probably be provided py the 


ccmputer center staff. 
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meris are four types cf impacts for which sach as 


T 


em 
must be evaluated. These impacts are: 

Da Modification 

2) Destruction 

3) Disclosure 

4) Denial of service 
The ADP Security manual provides a concise definiticn of 
these impacts. Each asset must be evaluated with raspect to 
these icems. If an impact affects an asset, then a moretary 
value reflecting that effect should be assigned. The inpac“ 
value rating 1S asscciated with the monetary value. Pure 


stage will require close coordination between the students 


evaluating the assets nd those members cf the team who 
gS: .سے ہچ‎ Mi ae 

۱ 
| FONOS ESECLA L USE ONDY 3100 | 
۱ PRIVACY ACT OR 51000 | 
| CONFIDENTIAL | 
| SECRET $100000 | 
| TOP SECRET 51009000 | 
E 1 6ء‎ 0 

Figure 4.2 Sensitive Data Value Guidelines. 


determine the asset impact value ratings. Th AD? Security 
2 


Manual provides guidelines for the i 2--٦56 ۶:۰۲" 3 3.526 1425027 ۶ 


a 

sensitive data. These values are listed in figure 2ل‎ 
There are standard forms which should be used to record 

the asset impact and valuation studies. The appropriate 

form for this phase is designated OPNAV 5239/7. An example 


EE his fcrm is provided in Appendix I. 
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C. THREAT AND VULNERABILITY EVALUATION PHASZ 


The next phase in the risk assessment process is the 
EHESat and Vulnerability evaluation. According to tha math- 
cdolcgy, ali threats must be evaluated zo estimate now citen 
ame successful attack may occurs 52-537٦ a 
Meme cessful" attack is one that results in a definite 


adverse impact on the activity. 


This phase will also require a great deal of ccmnunica- 
tion between the members of the risk assessment tzean and the 
staff of the computer center. POS Mee Ged thir s Sars Such as 


a 
S 
m 
power outages, the frequency rating co 
examining historical data. Hcwever, inp 

È 


Center staff may prove valuable when at 


frequency ratings for threats which a 

such as erzcrs in the operating system sofware. heer 
threat must be avaluated iea espect. to he same our 
impact areas as the assets, that is, no 


Eon, disclosure, and denial of ser 
threats which have never, and hopefully will nsver, cccur 
n n 


there may be some difficulty 11 2n threat fr=quen- 


feiss. There ss NO Sound statistical base forz assigning 
probabilities to human behavior problems. On2  mechcd to 
approach this prcblem is to use che Delphi technique. This 
methcd invclves having different inlivicuels evaluata a 


Barzicular probability several times to reach a consensus. 
This technique  shouid provide a probabili-y estimats which 
basa. (Ref. 41] 


may cffset the lack cf a numan experience 
Pile cence urna 


A great deal of cime and effort wi 
this phase. Tha nore 9ھ"‎ ٤ «Ich 2S applied tc devei- 
piro the threats and thel potential adverse effects, “he 
more accurate the final risk assessment will be. As a 
result, che product will serve its purpose and hcpefully 
enhance ADP security. 
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Security measures. The ADP Security manual describes a 
mechanical, fairly straight-forward procedure to determine 
these figures. The impact dollar value ratings and +hs 
successful attack frequency ratings interact to produce an 
annual loss expectancy figure for sach of the fcur impact 


DI 


p^ 


areas. The individual ALE values for each ass= 
impact area and the individual ALE values for each threat in 
ar impact area should be added to produce a total ALE value 
for each respective impact area. Sunminq the ALE values 
SES the fcur dirferent impact areas results in the total 
ALE value for the system. 

As stated in the AD? Security nanual, ERE ALES NEDE 
sents 2 quantitative estimats of ths pctentiai average 

8 


Ev finarcial 1css resulting from che modification, 


Hsccruc*ion, SCI OCC Sd, OT denzal cf. ¡services 
Meequce Cf existing vulnerabilities which may permit identi- 
Bea threats to be realized." {Ref. 39] On2 can see that 


a 
the types of r2sults which ere darived, namely, quantitative 
Eures cr annuel 1٤5 expectancy, ale based Totally uror 
the estimates made in earlier phases. Per he ٥۸۷0۷۶62 
SO Des mesaniängful, 2 is cisar that a gz 
be taken to develo 
a dcllar rating 
successiul attack frecusancy mus= be consistent and net =xag- 


Mae e any Particular area without justificaticn. 


D. EVALUATION AND SELECTION OF ADDITIONAL COUNTERMEASURES 


Af<er the annual loss expectancy values have been calcu- 
lated, the evaiuaticn of additional countermeasures can be 
sonducted. The procedure involves d2teéermining whether ths 
additicnal countermsaurss would benefit the overall security 
posture and result ina decrease in the annual loss ezpec- 
tancy value. Cost-effectiveness is che Era toria fom 
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decision-making when considering any additional countezasa- 
SUI 25. Essentially, every countermeasure must be 29318 
to determine if the reduction in tas ALE is greater than the 
mE Of installation and implementation. Countermeasures 
may be directed against specific -hraa:s. Some software 
Semmcermeasures include the establishing of audit «rails, 
the use cf unique password/authentication processes, a 


n 
ENDOSSrIlor cf some type of residue control vto clear sensi- 


۲٠۰٠٠18 6۶0316٥٥ which the cperating system allcws to remain 
in resource sharing storage. Some hardware countermeasures 
include the empicymentof protection stat3 variabies, wmemcry 
protecticn mréchanisms, and the use of interruption resistant 
power suppliss. These are merely a few =xampl=s of counter- 
measures which can be utilized to imprecvs secu 


may be such that the successful frequency attack ratings i 


several impact areas are affected. 


(p 


The procedur= for evalu adagitional countermeasures 


۵ 
qt 
j 
H 

“Q 


consists of six steps 
1) Ccuntermsasurss which can reduce tae vulnerabilities 
TOS assets whlch cuzzestly have the higher a 
loss expectancy values should be considered £ 
2) The vulnerabiiitiss which wouid be reduced or elini- 
ed by implementing additional countermeasu 
be identified. 
3) Assuming that the countermeasure is implemented, “he 
PEejeGred SUCCeESSEul attack Ersquency tatings for sach 


arsa shculd be listed. 


NSS EO) CCA ALE Tor each hrseat sffected by the 
countermeasure should be calculated by impact area. 
5) The projected ALE should b2 subtracted trom the 


current ALE to show the savings pcssible by impie- 
menting the proposed countermeasure. 

6) The ALE savings in 2ach impact area should bke summed 
mu 7ے‎ 16357 ne “annual cost of the ccuntermea- 


sure ic get the Return-on-Investment (ROI). (Ref. 42] 
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La] 


Iun, there *s a specific ío-m provided to psrfoza these 
erteula*icns. An example of this £ozm,  OPNAV 5239/10, is 
eayen in Aprendix I. 

The  Re-urn-on-Inves-men-t figure is important in the 
selecticn of which additional countermeasure to inrplement. 
This selection process occurs in an incremental rashion. As 
countérmeasures are implemented, they affect the overall 
tf 


ct 


Security posture of thea entire computer center. Thi 


D 


C 


M 


| å 
tJ 
ct 
t 
(b 


is realized in a different ALE value. ince changes 


Fh 
Ó 
t1 
N) 


Meee wail cause a ccrresponding change in the ROT 


particular countermeasure, the countermeasures m 5 


(D 


considered singly. 


fu 


The ccuntermeasurzs with the highest ROI is considsre 
Ener, Then, thea countermeasure with the next higher ROT i 


Ut 


evaluatzd with the new ALE resulting fron implementation of 
the previcus countermeasure. This procedure is continued as 
long as the respective ROI remains greater than one. The 


counteimeasıres with  ROI'!s greater than one may be ranked 


according tc their respective valuss. A plan <o implenent 
these countermeasures, 7ج ہت ے00 ت۴۰3 ۰۰ھ‎ La 0ita tions, — may 


then ke determined. 
Me Sicuarcion may cccur where higner authority directs 
ain countermeasures b2 implemented. In that case, 
cuntermeasures may tak2 priority for implementation 


sec 
mecardiess cf their ROI. 
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A. GENERAL 


At this time, no automat=d cr computerized risk assess- 
ment methcdclogy has been approved for use by agencies of 
the Federal Government. 7۰.0۰۰۰۰3 Sci lecr- on on 5ي‎ 
Government's lack of interest or distrus 
is more a matter of an extremely lin 
less than a handful of risk assessment software  rackagss 


currently available. 


One of the few companies in private industry invcelved in 
develcring risk assessment software is Pansophic Systems, 


SE 
ieee, ceased in Oak Erook, Il 
0 


OS. Among The software 
٦-۰ ٠ ۰ rrcducts the company offers ase : Panaudit, a ccol 
meee can be used fcr ADP, financial, 2 371۳7۰26 9٤ 
۶۰ء جح۔۰‎ computer systems; Banexec, which can be used fer 
a 


EN - ng, control, backup, 


Panrisk, an automated risk assessmen= system F0: nanaqement 


Blaaning. Advertisements for Panrisk boast that it is 
Meee che first system ever vo show wheres to direct your 
computer securit efforts 2۰۰٣ب‎ 7333 9ط‎ certainty" 
(Ref. 43]. 


Althcugh the Panrisk system works under the same tasic 
franework as the manual methods advocated within tne DOD, it 
ess 


has a majer drawback that greatly limits its useful 


t3 


HEDISCcabality to qovernmen< conputar facilities. It is 
compatible with IBM cperating systems. However, if Pan 
had shown any degree of success in the marker, cth 
computez vendors would have undoubtedly developed sin 


systems fcr Honeywell, BurrcughsS and others. 


67 





qa 


Mecordong tc its uw cxcSSUrgssbrochure, de e IL y, 
Panrisk is the application cf a sigcls formula to a varizty 
of threats whose results are aggragated =o qive a complete 


picture cf an organization's total loss potential over 


p» 


period of time * (Ref. 43]. The simpl= formula for calicu- 
lating the Annual Less Expectancy ALE is the same as that 


Oyen in FIFS PUB 65, although the terminology used differ 


somewhat: 
EN single occurrence loss x occurrence rate 


le. impact x frequency 


eReprics might rigktfully question using a ccmruter 
STEEN fcr such a calculation. FaarziskK does, however, 
Beeaguce CUutcuts beyond a Simple ALE = i- cen format, edit, 
and generate various reports cn risk information to be used 
memati) levels within an organization. Taus “he packag= may 
have scme merit in its use as a Managenert Information 
ExScem (MIS) or as a Decisicn Support System (DSS). The 


wobr ens, though, arise in the input requirements. In crder 


for the system to become useful, tne organization must 
VIG “te Information cn its computer resources, threat 
۶۰۲۹ 3113:1311 vulnerabilities, nd ioss petéentials. The 

ans 


EST SON Of such intuts constitutes the most difficuic p 
Seecorducting a risk assessment. Since suc 

lergeily cased on intuition and #2xperiance, it could net be 
expected that an autcmated system would be able to produce 
Ta ۶ >2 2 8ە00036‎ 
: 70۳۰ ب5‎ on 


1982, Panrisk was taken off the market for an indefinite 


then. In general, therefore, the marx 


(b 


(D 


Al 


risk assessment will ke extremely limite 


period of time. 


In short, an autcma+ted system is no batter than a manual 


one on the input side of the Risk Assessment process. 
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Organizations must exercise cauticn in consid‏ 6و ہ۶۲۰ 
ering buying off-the-sheif Risk Assessment software, since‏ 
Risk Assessments, by their very nature, must be unicusl‏ 


tailored to an agency's needs. EON EAS Sa. UDC. of$ a 
m 


CSS, however, an automated Risk Ass2ssment could greacly 
facilitates a user's understanding and ability to handle 


budgeting and security problems. 


Be A RISK ASSESSMENT AS A DECISION SUPPORT SYSTEM 


An automated Risk Assessment could serve as an exceliéns 
applicaticn for a Decision Support System (DSS). Accordinc 
RS prague ard  Cariscn (Ref. 44] tne chazsacısristics cr an 
۰٠ DSS include : 1.)  Suppor- for unstructured (or 
semistructured) proklens; DOOEEMESuDDOE- os all. ¿Levels 
decisicn-rakiag; and 3.) a combination of analytical techni- 
ques and data presentation techniques. A isk Assessment 


Peer caticn should include all of these characteristics. 


Sprague and Carlscn [Ref. 44] discuss three components 
that make up a DSS : 31.) *he dialog model, which serves as 
the user interface tc the system; 2.) the data modsl, which 


monitors tha system ata bases via a data base 


Os 


Sercrcls an 


management system (DEMS); and ) ene noc=2ng comporent, 


th 


3: 
Mea ¿interfaces with the data ard dialog models +o períczm 
a 


Mathematical and analytical cparations. 


The diaicg component cf a DSS is perhaps the most im 


ro 
O 
14 
۱ 


SS Ece, from the user's poins or vilow, it functio 
virtual system. Tre dialog componen= must be able t 
suppcit a variert oM Sctonss.:5ns. and output d 
different inputs, dialog styles and communications, and 
ser friendly. (Ref. 44] For a Risk 


Assessment application, “his means char the user (possibly 


above all, must be u 


fa‏ کے 


the ccmmand's Security Manager or ADP Securit Ozficer) 
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EMO” Ce abis te select the way in which he inputs zc the 
system and the way in which cutputs are displayed on the 
Geeminail cr printer. م53‎ >2<. ch Mey Znelude ksykca 
Bes, jeysticks, function keys, etc., will be cons:urairsá 
by the available hardware, but outputs caza have sever 

SB NGS, largely software-supported, which will cnly be 
constrained by the user's and builder's imaginaticens and 
abiiitiss. Users may request that the dialog ccnventicns 
used include questicn/answer Sessions, menu selections, 
iCal displays, and HELP facilicies to aid in supoertin 


the user's knowlsdge tase. 


mre data component should bs able tO Support 4a va 
data structures and types, while allowing for easy da 
access and retrieval (Ref. 44]. Mus Teg 
extremely versatile and capable DEMS, ط5‎ 7۰۱۷۹۰ 3 cu rert 
E e-of-ths-a-zt is such that thase requirements could b 
met by a system as simple as DBASE II which is available on 
nost micrcccmputsrs. The DBMS of a Risk Assessment apolica 
ti0n will require that the user be provided capabilities to 
gen2rate, update, and maintain data bases comvosed 


O 
vu, threat, asset, and vulnerability information. 


The  mcdelin ESO nen US EOS 3 Model Base 
Management System (MEMS) to allcw for the buildi 
tion cf new models, model manipulation, and The ma&ragem 
of a library of models (Ref. 44). Tae mocels in a Risk 
Assessment CSS will cre useä to calculate ALES for n 
threat categcries, ccmpare various ALES, na nathematicall 
combine ard manirulate ALE figures. This comconen*t could b 


hundred Ey the programming capabilities of DSASE Il. 
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C. DESIGN SUGGESTIONS FOR A DECISION SUPPORT SYSTEM 


1. Ihe Dialcq Ccaconsnt 


This component should initially allow the user 
several presentation cptions, and should be kuii- such that 
later refinements and ennancements can be made witn relative 
ease. As the user becomes familiar with the sys+an and 
feels comfortable in using it, he may wart to reduce the 
System's HELP facilities in favor of more  spesó and flexi- 
Dy. Initially, howaver, the user's knowledge base will 


be small and he wild pref 


(D 


o redr n ougan" tos systen. 
Assuming the user is at Sesto zamiliaz with how “xo 
Initialize the system, turn the terminal on and iogon, he 


BEN ther nesd to know how to make a call te +ha Risk 


Assessment DSS. This should be as simple a type-i as 
feeding Risk", "Do Risk", or "Risk" followed by a carriage 


The initial screen might loox like the one shewn in‏ ئ0 
mesure 5. l. An additional opticn might invoive moving a‏ 
Si=escr Celcw the desired operation using a joy stick, or‏ 
selecting the operaticn with a light pen. Once an operation‏ 
is selected, a new screen showing additional options within‏ 
Be cperatíon will ke displayed. Ail screens beyond the‏ 
metal cne will previde "Helio" options aS well as opticns‏ 
sturn tco the main menu or snd zhe session. The dialcg‏ 
Em Gl also present. the user with a2a canned‏ 
CS fhnhreats, and vulnərabDilirties, such that he could‏ 
e zhcse that were inapplicable to his organizaticn, and‏ 
Rose Mn did apply. Dove ud nos Only. ser‏ 


٦ 
Aer =ase his Knowledge base, but wouid aiso prevent a lot cr 


Cutput  zepresertatiors from the operations should 
ze=y o£ formats. Bar graphs mignt prove to be 


2 ٦ 
desirable representations since the user may want ccmpari- 
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Select thea desired operation b 


y t g the 
number fcllowed by a carriage ret 


a 
O 
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t1 
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(n 
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O 
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Si 
t 4 
y 
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y P 
ur 


e. y 


n 
Datatas= Update/Modi fication 


Display a list of computer system assets 


ETD AIST CGE compurez vulnerabiliriss 
Calcuiate Annual Loss Expectancy (ALE) values 


End Session 


SITING : 


| 
1.) 
2.) 
| Bee Display a list cf computer threats 
E 
| 5.) 
I 


| 
| 
| 
| 


Figure 5.1 Initial Screen for a Risk Assessment DSS. 
sons cf verious ALEs at differen- periods o 


3 
Da llustretes the type of cutput representa-ion that might 
be provided by a Risk Assessment DSS. Similar o 

2 


em ac CrS Could be constructed for che other impact areas 
EU]! as fcr threats, assets, and vulnerabilities. For a 
DSS cf this type, most users will desire outputs that show 


u 
compariscns o£ relevant information. ہک5۰‎ 2760670-2 
Vulnerabilities, for example, would show whích vulnerabili- 


mes are the most costly in Terns Of ALES. 


2. The Data Component 


The Data Compgcnent will oe perhaps “hs most diffi- 
cult to understand and manage. A viable and capabie Dara 
ae diro 7٣ 


Base Manageıent System (DBMS) ull pe req 
€ 


= 
- 


the vast number of files, ¿ne large sizes 
tne links between +he files. In geraral, an ت6ج‎ ۱۲ DBMS 
should zesult in reduced costs of puiiding and using cha 


n? 
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Figure 5.2 Bar Graph Output Representation. 


Mao, increased daca contzci and sharing, and reduced data 
redundancy. ٠۹ء۰45‎ ٣٢٠ت‎ 1۴۹ 701۰ 5ن 05ذ‎ fOr 2 DSS, the 
designer will chose a data model, Wiesen = a ‘Method of 
Booresenting, organizing, storing, and aan 

computer" (Ref. 46]. The "Senses pests CO 
wen include : 1.) a collection of data str 
Gerieccicn cf oréerations that can be applied z 
Ferucrures; and 3.) ME Mecano oia 203 it y rules char 

2 


define the valid states for the structures. [R 


The data structures for a Risk Assessment will vary 
HeEwendang cr the type of file. Ssparat>2 files will, ata 
3 


Minimum, be required for ccaputer 
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Bulnerabilities, zZaure 5,3 Shows the f 
contained in such files Sue Ie 22210 Scr 
will cbviously result in a great déal o 


For exanrle, one asset will te exposed To several threat 


n uU 


ct 


conversely, cne threat may affect several assets. The 


3 
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wasteful method would be to list every thraar 


O 
t} 
Cu 
y. 
ES 
(1 
= 
D 


Specific asset and include them as part of a rec 


asset file. Similariy, every asset affected by a 


In 
"UC 
(D 
p 
انس‎ 
ja: 
ct Q 


vt 
Hh Bt) 
$ . 
u) 
0٥ت‎ 


Bear wculäd be inciuded as part of a record in the 


h 
4 


(b 
n 


mue, Ss. ے۱٣‎ ۹93631 0-۰ ہ5639‎ ٦1605-212٤1519 «hese Zil 


memes De *c link the records in sach file togecher 


G 


2 

fu uU 

NI b 

o b 
Q 


13 


some type of reiatioral data base model with primary a 


secondary keys. 


eae che “dactagmodel 1* will e 
a rəlaticnship between the asser and zhrea 
& 


ie can be determined which assets ara 


ct 
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Bats, and wcthir whzch £mpact ca 
Nude tc- this relaticn will be the IMPACT CATEGORIES (4 
the asset file, and the IMPACT CATESO: 

Misas file. By defining this Telarion, it will De possibles 
to select a spo2sciric ass=t, link ir to an applicable -hreet, 
Eg calculate “the ALE. Parte Zypern of Jin 

performed by a JCIN creration. Acc g 
Bem cp=zation is used to combine two rela 

Beew attra buts in the first relaticn is com 
Maen a- tributa in the second. If th 
Eg coa ship Specified in che join operation, then the 
Mp es Of the relations are combired to form a third rela- 
Inlet. of | THUS, "en asset record and a tarzsat reccrzd 


can be "“cined" by issuing a command such as: 


ASS£T (IMPACT CATEGORY (4) =IMPACT CATEGORY (4) AFFECTED) THREAT 
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ET ThE value Of “he IMPACT CATEGORY fieid in zhe asset 
File is cempared to the IMPACT CATEGORY AFFECTED (U) £2214 in 
bie thrsat fils. If the values of the «wo fields ar ua 
then  *ne two records can be combined <o forma single 
۶66-۰ In this way, it can be determined that the S 
resulting from the JOIN operation contains an asset, an 


applicable threat frcm a specific impact catagory, and the 


ASSET FILE 7 Jà uu y E a 
asset nrame/asset categor SCCIIDUcOHn/-mpact categories 
(4) /impact category EC 7 

THREAT FILE: | 

hreat name/descriprion/impac: caregozies affected (4)/ 
frequency of cccurtence/ 


VULNERABILITY FILE: ہچ‎ 
Bulnerabziıry name/descriprecon/tareats exploiting, 


COUNTERMEASURE FILE: 
countermeasure namée/aescri iptior/c os 
Vulnerabilities afres.ıng/ un... fr 
8 2 7 


اسسا es et‏ اص ححعٰصاہ ہے ےہے O‏ ھتہ ee moe‏ 


— ial tne ون مسا‎ 


Saplementing/ 


= oO 
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Figure 5.3 Field Layout for Required Files. 


mmeequency Of occurrence fot that thr3at. fae O nen 
be calculated by multiplying the iapacz v 
Enzeat rrcbabili 


mhe operations that Will b> applied =o =he data base 
ES shcuid include, but nor necessarily be limited to, 
eeen eval, wndats, modification, combina n mma + 
The diaicg component should prompt ti 


A 
Seeration, While allowing him to specif 


Bec rane, field nanme, etc. 
Tte integrity rules for the field values in the 
files may te kept relatively simple. Values for impact 
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tt 


@ae=egecny may easily be constrained to the four categeri¢es o 
Preece Co, modification, 10ء‎ and derial-cz- 
service. Numeric values may be limited to a relatively wide 
range of values within certain limits. FO 

frequency ratings for thrsats may contain any dec 
E Ven 2000 apnd .999. ALE values for the destruction cate- 
gory will be equal to the assez replacement c 

sams tcker, no asset ALE may exceed its total replacement 


COST. 


3. 12 


Id 


Modeling Component 


FA E oe 


٣٠۰٠ب‎ 16711716 consonen= zs “fhe primary ucol for 
ENDDOrting many of tke activities that decision makers will 
Ea Crm lr <he process of making decisions and sclving prch- 
lems" [Ref. 47]. Th*e decisions and problems for a Risk 


Assessment applicaticn will evolve about the calculaticn of 


ALES, and determining the areas where the greatest ALE 
meauctior Can occur. TRUS Al by COT models, Cons: sting 
cf permanent, ad HCC, USE DU Ll: and “canned” 5ع‎ 
[Ref. 47} will hava <o be made available to the user. The 


permanent mcdels, these cesired by most usas, night have 
Ae Capabilities shewr in figure 5.4. In 


a 
nodal genérators should be at the disposal 


crder that they may aqentrate and structurs tneizr own mod=is. 
Opticnai models that may be requested involv2 activitiss for 
ES U-cticn, deducticn, analysis, Création or alternatives, 
ccmpariscn of alternatives, تہ‎ rd on, and s-mulacticnp. 
[Ref. 48] 


4. Irtsgrarion 
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"The model base and its management system m 


u 
Entuurated with the dialog directly, =o give the user direct 
O 


control cver the operation, manipulation, and use of models" 
[Ref. 49]. By th» same token, there must be a tight 
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THREAT MCDEL : 

à calculation, summation, and analysis of the ALEs 
pontrzibuted to by specific threats 

SEL MOLFL : 
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the ALES attributed to specific assets. | 
| 
| 
| 
| 


| 

| 

| 

an analysis and pétcentage calculation of the ALES 
x S o 


COUNTERMEASURE MODEL : | 
Nol OE tae ALE reductions that might pe Lrough- 
abeut ty She implementation of specific cóuntermeasuíss. 
| 
| | 
| E 8 Eve. | 


Figure 5.4 Permanent Model Capabilities. 


coupling between the modeling component and the data ccazo- 
nent. "Wich this direct linkage, models can be updéted as 
the data values are updated, and modified or restructured 
when the data have changed enough to require it" (Ref. 49]. 
The components and “he possible jinkages among them may de 


Me ted as in figure 5.5. 
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D. LIMITATIONS 


The censtruction and design of the dialog and modeling 
compcnents can be made with relative ease. ICE vc The 
design and development of the data component that che 
Majority cf the difficulties will ariss. This will create 
additional problems in that a complete and capable DBMS is 
Eu cal tc the ccrrect furctioning of the dialog and 
modeling ccmponents. D NDS: not functior wic hout he 
P 


Omen =Ss 


emp leta integration cf the three con 


Mne user is also confronted with severe difficulties in 
the actual construction of the databas W 

designer may be able to provide an erficie 
through which databases may be crea-el and upda 
may be frustrated in his attempts to collect the 


+c include in the databases. 
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VI. CONCIUSIONS AND RECOMMENDATIONS 

Mbs thesis has examined vazzous Hfacets of Th= concepts 
cf risk assessment. The subject is exceedingly complex and 
affects virtually all segments of organizations which employ 
computers tc accomplish their objectives. The mul*t»eude oZ 
HN ctives promulgated by various agenciss of the federal 
Amer ment attest? tc the attention being focused on Jisk 
assessments. ح7۰‎ ulises talr=cclon provided in ihis 
area is generally gocd; however, che instructions ara often 
tny and sometimes written in a style difficult to 
follow. The most important point expressed in Chapter Two 


is the realization that competent guidance concerning risk 


assessments exists. Tha level of user awareness regarding 
pS availability of this guidance must be raised. As the 
fs E OE TE 


deral gcvernmert in general, and the Departme: 
Dan in particular, allocate more a Tias c EE. C 
computer systems resources, Ezgan2za.ıonal deps: 


computer services will grow. pass Tas neces 


a 
Se rFespondirg effort towards ersuring Fee cc mW E 
computer systems. Foz example, ne NeEVal Regional Data 
Autcmaticr Center, San Francisco (NARDAC-SF) allocated 


several personnel in its Management Control  Deparztmenx: to 
conduct a risk assessmen- at that facility. The EU 
e unted in a ictal annual loss ¢xpectancy for NARDAC-SF 
moune ag to ovez 58,8 billion. 5۰۹ > ت7‎ ۱۰٣۴١ DesnecsQ -har ar 
astronomical figure like 358.8 biiiion in no way represents 
the actual expected value of losses during a giver yar. 


pau croit 35 the aggregate ALE resulting from totalling the 


individual ALE*s in each impact area. 065 277107266 1> 
E ThE relative priorities to bs placed on security 
measures in different arzas. Clearly assets evaiuated at 
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elative sums of this magnitude? warrant significant sec 
appraisals. This attention and analysis is : the 
driving influence behind the risk as 
Further dissemination to he proper 
priate authority shculd increas 
area. 

veral aspects associated ae COL TT CAE ADOS SISK 
essment services were considered ns Echaptee Three 

NST. S5239002 dareces all cemmands with computer systern 
ets tc ccnduct a risk assessment. و7۲5‎ 32٥٥٥22. ٤ ٤٥ 
required tc conduct a risk assessment may forca smaller 
commands to ssek outside assistance. Naval Regional Data 
Automaticn Centers (NARDACS) are available to previde assis- 
tance. However, the various NARDAC's around “he ccurtry are 
staffed at different manning ievels, so the amcun* of assis- 
tance sach command is able to provide may vaty. CCMNAVDAC 
puprains a list Of COntractcrs appzoved to conduct risk 
assessments or tc provide assistance to commands conducting 


their own risk assessments. 


ty 
(1) 


AC CHE framework forc conducti 


— — o ~ - in 
A A E e 
e 


3 
Naval Postgraduate School demonstrates, tne task of ہے‎ 


Semaucting cne is certainly non-trivial. como a ais > 
of all systems assets and procedures and assigning impact 
values tc them is a complicated , time-consuming endzevor. 


Mec ul qitiiculiy is det¢erminirg a lis of ali potential 
threats anā their asscciated frequency ratings. It requires 


d 
perscrn¢el experienced in the areas of computer operations, 


fiaance and administration Biemeecompucaticn ce the annual 
loss expectancy and its use in évaluating the pctential 
benefits of countermeasurss is also aı effort which requires 


a great deal of precision and judgement. The ADP Security 
Manual provides a reasonably clear explanatior of these 


steps and gcod backgrcund material which i 


db ۸ 


manual alse provides examples for sach typ 
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In eneral, the emphasis currently being devoted to 
. y and risk assessments in the Navy is very ti 


T 
prudent. Given the dependence of the Navy on computer 


ech- 
nology fer such services as supply processing, a CD 
spare parts Tailurs and usaga rates, eLvironnental fora- 
casting, payroll and personnel records and a myriad of cther 
tasks, it is  sasy to imagine the havoc which coui be 
created if these services ara disrupted. The risk assess- 


NE rrogcam isa pcsitiva effort to study the state 


in 


O 
security wit respect to a command! computer systens, 
quanitfving the assets and threats aná using this data to 
evaluate countermeasures. The criteria for evalu 

termeasures is cost-sffectivensss. Menos 


BeeG@edure appears to be a logical narner in which to deter- 
5 


mine the relative impacts of various threats on yszəm 
assets 2752179 chis criteria. 

Eene diff icula, 2f MO: impossible, to quantify 
the exact Value of the Frisk assesment itself. Sanos, the 
Stall CULECSe CE a zisk ass=ssment is to justify cour=er- 

3 


Bue Veo Ge ite cul 
E 


disasters will be averted. ertaialy n wiil be 
V 


O 
measures in order to crevent disasters, hop 
a 

directed tc broblem areas in security. How i 

EES Process has uct been quantified, the logic previdin 

the impetus to conduct such assessments seems weli-groundei. 
No prcczdura in this area, however, Wili be successful 

unless it receives a sufficient amount of command attenticn. 


The general tendency for most commands is To treat the 


ml YT and zeliabiltiy of computer services in a “taken- 
eee granted" manner. The magnitude GET RE 6 ei 
disasters due to tke loss of computar services makes a 
charge in this type cr care-free attizcude imperative. The 
requirement directing all commands with computer syst>2ms to 
conduct a risk assessment is n important, viable means of 
cop recio this attitude. I+ forc=s commands to make a 
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onal, thoughtful analysis of its systems as directed by 
OPNAVINST 5239.12. TO NET Vs me ximun profit from “his 
procedure, the command should ensure that all concerned 
perscnnel are aware cf the significance of conducting his 
exercise. If tha risk assessment procedure degenerates irto 
a "MpDaperwcrk drill" ccrducted by some personnel in the lower 
levels of the ccmmand, then the Tssul<s may be virtuaily 


worthless. 


A. SUGGESTIONS/SRECOMMENDATIONS FOR IMPROVEMENTS 


3sment az thea 


(b 


As mentioned previously, the cisk ass 
Naval Postgraduate School can be ccomplsted by students in 
the varicus Computer Systems end Management curricula. This 
Situaticn wculd provide many b=nefizs cf both an acadenic 
and practical type, net the least of which a 

D 7 ٣369 participating seudsaes with a fu 
roble 


2) Save the Naval Postgraduate School a considerapnis 


knowledg¢ of the computer security p 


amount or money. 
The remaining recemmendations are directed at “he larger 
scale prcblem A measure which would improve be 
tency and sfrectiveness of the risk assessmen- preced 
might be tc establish assist “teams az NARDAC'S thrcugh 
Fre country. These téams would be available to ass 
commands d=sirous CE 070078097909 Tisx assess 
providing expertise in security areas noz normal 
posed by activities as part of their normal routine. The 
establishment or thess tams would serve several purposes: 
1} Erovide a body of experts to conduct risk 
assessments and/cr to provide assistance +9 
commands conducting them. 
2) Enable ccmmands throughout the Navy *o conduct 
their own assessments wizhouz being forced te 


ccntract for services. 
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Bnosher area which could be improved is to previds mor= 
GeGirstive guidance to commands concerning the value of 
systems assets. Central agencies in Washington, D.C. such 
as the Automatic Data Processing Salection Office (ADFSO) and 
the Naval Data Automation Ccamand(NAVDAC) pa` nte 1 approval 
authcrity and inventories cf major systems throughout the 
Navy. These agencies should possess data concerning the 
poccs of various types of herzáware, software, and possibly 
data. The dissemination of his data could eliminate scm 
or the estimating required to get values for systems assets. 

0 


A final recommendation concerns the subject of an aut 


b: 


ed risk assessment package. Chapter Five has pr 
the preliminary design for a Risk Assessment De 
Support System. Aerzasıpnrinevescudy, "conducted perh 
one of the NARDAC*s, might be undertax3n to assess 
۶۲٠۰ this type would be beneficial and cost-effective on 
Navy-wide basis. To satisfy a wid2 range of users, this DSS 
would have to be extremely user-friendly and capable of 
TENG a variety cf inputs. It a be that the invantcry 
er Navy ccmpucer systems is so varied that this type of 
Menagement support aid would not be practical on such a 
large basis. eee TH SOC GEL 5606 2259 Cf his ےت‎ 


nerit scme investigation. 
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EXAMPLES OF VARIOUS PORMS USED IN RISK ASSESSMENT 
COMPUTATIONS 


This is an example of OPNAV 5239/7. 


ASSET VALUATION WORKSHEET | 


|. ASSET NAME | 















ANO JUSTIFICATION OF IMPACT VALUE RATINGS ASSIGNEO. 





2. ASSET DESCRIPTION 





———— wT 


- — 
da 









3. IMPACT VALUE RATING BY IMPACT AREA 


O DESTRUCTION C) bisctosur€ . (O DENIAL DF SERVICE | 





(O) MODIFICATION 
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This is an example of OPNAV 5239/8. 


QPNAVINS] 39.14 


THREAT AND VULNERABILITY EVALUATION WORKSHEET 


|. THREAT NAME 


2. DESCRIPTION, EXAMPLES, AND JUSTIFICATION BASED ON EXISTING COUNTERMEASURES ANO VULNERABILITIES. 


e.s mo > 


I 
۱ 
i 
| 
t 
i 
| 
i 
| 





. 9. SUCCESSFUL ATTACK FREQUENCY RATING SY IMPACT AREA. 


O MODIFICATION [_]-pestruction (_] viscuosure O DENIAL OF SERVICE 


OPNAV 5239/86 (2-82) 
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This is an example of OPNAV 5239/10. 


OPNAVINST 5239.14 






— —— — — 
— —À «X 


ADDITIONAL COUNTERMEASURE EVALUATION WORKSHEET 


2. ANNUAL COST 





3 yNTERMEASURE NAME 





+ SIPIPTION | 


4 Lop E 


THREATS AFFECTED 8Y THIS COUNTERMEASURE AA | TE ALE SAVINGS 


| 


7. RETURN ON INVESTMENT E er 
SAVINGS 


19. OVERLAPPING ADDITIONAL COUNTERMEASURES 


OPNAV 3239/10 (2-82 ) 
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